FKIE_CVE-2022-49707

Vulnerability from fkie_nvd - Published: 2025-02-26 07:01 - Updated: 2025-10-01 20:17
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: add reserved GDT blocks check We capture a NULL pointer issue when resizing a corrupt ext4 image which is freshly clear resize_inode feature (not run e2fsck). It could be simply reproduced by following steps. The problem is because of the resize_inode feature was cleared, and it will convert the filesystem to meta_bg mode in ext4_resize_fs(), but the es->s_reserved_gdt_blocks was not reduced to zero, so could we mistakenly call reserve_backup_gdb() and passing an uninitialized resize_inode to it when adding new group descriptors. mkfs.ext4 /dev/sda 3G tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck mount /dev/sda /mnt resize2fs /dev/sda 8G ======== BUG: kernel NULL pointer dereference, address: 0000000000000028 CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748 ... RIP: 0010:ext4_flex_group_add+0xe08/0x2570 ... Call Trace: <TASK> ext4_resize_fs+0xbec/0x1660 __ext4_ioctl+0x1749/0x24e0 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0xa6/0x110 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f2dd739617b ======== The fix is simple, add a check in ext4_resize_begin() to make sure that the es->s_reserved_gdt_blocks is zero when the resize_inode feature is disabled.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0dc2fca8e4f9ac4a40e8424a10163369cca0cc06Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/33b1bba31f4c784d33d2c2517964bdccdc9204cdPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7c921328ac760bba780bdace41f4cd045f7f1405Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/af75c481a2e45e70f62f5942c93695e95bf7bd21Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b55c3cd102a6f48b90e61c44f7f3dda8c290c694Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b9747263b13e5290ac4d63bec47e38f701303cadPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bfd004a1d3a062aac300523d406ac1f3e5f1a82cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fba54289176702a7caac0b64738406775817f451Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.19
linux linux_kernel 5.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF939175-79DE-4866-B38C-4C8F9896B785",
              "versionEndExcluding": "4.9.320",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D4E7BA7-6B66-4B9A-991A-AD516DADF77D",
              "versionEndExcluding": "4.14.285",
              "versionStartIncluding": "4.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A08E48B-CA77-4A21-9558-17D61C146BE9",
              "versionEndExcluding": "4.19.249",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "80B2AE57-4A7E-40BB-8C83-33D4436CE199",
              "versionEndExcluding": "5.4.200",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6442F2CD-FF1C-4574-9948-138835E635D7",
              "versionEndExcluding": "5.10.124",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "697D250E-E0A4-41BE-BB54-96385E129206",
              "versionEndExcluding": "5.15.49",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDD33A19-B51E-4090-A47B-073098916815",
              "versionEndExcluding": "5.18.6",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add reserved GDT blocks check\n\nWe capture a NULL pointer issue when resizing a corrupt ext4 image which\nis freshly clear resize_inode feature (not run e2fsck). It could be\nsimply reproduced by following steps. The problem is because of the\nresize_inode feature was cleared, and it will convert the filesystem to\nmeta_bg mode in ext4_resize_fs(), but the es-\u003es_reserved_gdt_blocks was\nnot reduced to zero, so could we mistakenly call reserve_backup_gdb()\nand passing an uninitialized resize_inode to it when adding new group\ndescriptors.\n\n mkfs.ext4 /dev/sda 3G\n tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck\n mount /dev/sda /mnt\n resize2fs /dev/sda 8G\n\n ========\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748\n ...\n RIP: 0010:ext4_flex_group_add+0xe08/0x2570\n ...\n Call Trace:\n  \u003cTASK\u003e\n  ext4_resize_fs+0xbec/0x1660\n  __ext4_ioctl+0x1749/0x24e0\n  ext4_ioctl+0x12/0x20\n  __x64_sys_ioctl+0xa6/0x110\n  do_syscall_64+0x3b/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f2dd739617b\n ========\n\nThe fix is simple, add a check in ext4_resize_begin() to make sure that\nthe es-\u003es_reserved_gdt_blocks is zero when the resize_inode feature is\ndisabled."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: agregar bloques GDT reservados comprobar Capturamos un problema de puntero NULL al cambiar el tama\u00f1o de una imagen ext4 corrupta que reci\u00e9n borra la caracter\u00edstica resize_inode (no ejecuta e2fsck). Podr\u00eda reproducirse simplemente siguiendo los pasos. El problema se debe a que se borr\u00f3 la caracter\u00edstica resize_inode y convertir\u00e1 el sistema de archivos al modo meta_bg en ext4_resize_fs(), pero es-\u0026gt;s_reserved_gdt_blocks no se redujo a cero, por lo que podr\u00edamos llamar por error a reserve_backup_gdb() y pasarle un resize_inode no inicializado al agregar nuevos descriptores de grupo. mkfs.ext4 /dev/sda 3G tune2fs -O ^resize_inode /dev/sda #olvid\u00e9 ejecutar el montaje e2fsck solicitado /dev/sda /mnt resize2fs /dev/sda 8G ======== ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: 0000000000000028 CPU: 19 PID: 3243 Comm: resize2fs No contaminado 5.18.0-rc7-00001-gfde086c5ebfd #748 ... RIP: 0010:ext4_flex_group_add+0xe08/0x2570 ... Seguimiento de llamadas:  ext4_resize_fs+0xbec/0x1660 __ext4_ioctl+0x1749/0x24e0 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0xa6/0x110 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f2dd739617b ======== La soluci\u00f3n es simple, agregue una comprobaci\u00f3n en ext4_resize_begin() para asegurarse de que es-\u0026gt;s_reserved_gdt_blocks sea cero cuando la funci\u00f3n resize_inode est\u00e9 deshabilitada."
    }
  ],
  "id": "CVE-2022-49707",
  "lastModified": "2025-10-01T20:17:06.913",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-26T07:01:46.500",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0dc2fca8e4f9ac4a40e8424a10163369cca0cc06"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/33b1bba31f4c784d33d2c2517964bdccdc9204cd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7c921328ac760bba780bdace41f4cd045f7f1405"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/af75c481a2e45e70f62f5942c93695e95bf7bd21"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b55c3cd102a6f48b90e61c44f7f3dda8c290c694"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b9747263b13e5290ac4d63bec47e38f701303cad"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bfd004a1d3a062aac300523d406ac1f3e5f1a82c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/fba54289176702a7caac0b64738406775817f451"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.