CVE-2022-50743

Summary

In the Linux kernel, the following vulnerability has been resolved:

erofs: Fix pcluster memleak when its block address is zero

syzkaller reported a memleak: https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed

unreferenced object 0xffff88811009c7f8 (size 136): … backtrace: [<ffffffff821db19b>] z_erofs_do_read_page+0x99b/0x1740 [<ffffffff821dee9e>] z_erofs_readahead+0x24e/0x580 [<ffffffff814bc0d6>] read_pages+0x86/0x3d0 …

syzkaller constructed a case: in z_erofs_register_pcluster(), ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be zero although pcl is not a inline pcluster.

Then following path adds refcount for grp, but the refcount won't be put because pcl is inline.

z_erofs_readahead() z_erofs_do_read_page() # for another page z_erofs_collector_begin() erofs_find_workgroup() erofs_workgroup_get()

Since it's illegal for the block address of a non-inlined pcluster to be zero, add check here to avoid registering the pcluster which would be leaked.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxcecf864d3d76d50e3d9c58145e286a0b8c284e92 < ac54c1f7b288d83b6ba1e320efff24ecc21309cdaffected
LinuxLinuxcecf864d3d76d50e3d9c58145e286a0b8c284e92 < 618e712b99c78d1004b70a1a9ab0a4830d0b2673affected
LinuxLinuxcecf864d3d76d50e3d9c58145e286a0b8c284e92 < c42c0ffe81176940bd5dead474216b7198d77675affected
LinuxLinux5.17affected
LinuxLinux0 < 5.17unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References