CVE-2022-49170

Published: Feb 26, 2025

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on curseg->alloc_type As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215657 - Overview UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image - Reproduce tested on kernel 5.17-rc4, 5.17-rc6 1. mkdir test_crash 2. cd test_crash 3. unzip tmp2.zip 4. mkdir mnt 5. ./single_test.sh f2fs 2 - Kernel dump [ 46.434454] loop0: detected capacity change from 0 to 131072 [ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9 [ 46.738319] ================================================================================ [ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 [ 46.738475] index 231 is out of range for type 'unsigned int [2]' [ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1 [ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 46.738551] Call Trace: [ 46.738556] <TASK> [ 46.738563] dump_stack_lvl+0x47/0x5c [ 46.738581] ubsan_epilogue+0x5/0x50 [ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80 [ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs] [ 46.738819] do_write_page+0xef/0x210 [f2fs] [ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs] [ 46.739038] __write_node_page+0x2b7/0x920 [f2fs] [ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs] [ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs] [ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs] [ 46.739507] deactivate_locked_super+0x60/0xc0 [ 46.739517] deactivate_super+0x70/0xb0 [ 46.739524] cleanup_mnt+0x11a/0x200 [ 46.739532] __cleanup_mnt+0x16/0x20 [ 46.739538] task_work_run+0x67/0xa0 [ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0 [ 46.739559] syscall_exit_to_user_mode+0x26/0x40 [ 46.739568] do_syscall_64+0x46/0xb0 [ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is we missed to do sanity check on curseg->alloc_type, result in out-of-bound accessing on sbi->block_count[] array, fix it.

Vendor	Product	Versions
Linux	Linux	affected `98e4da8ca301e062d79ae168c67e56f3c3de3ce4 - < 498b7088db71f9707359448cd6800bbb1882f4c3` affected `98e4da8ca301e062d79ae168c67e56f3c3de3ce4 - < f68caedf264a95c0b02dfd0d9f92ac2637d5848a` affected `98e4da8ca301e062d79ae168c67e56f3c3de3ce4 - < 0748a0f7dcb9d9dddc80302d73ebcecef6782ef0` affected `98e4da8ca301e062d79ae168c67e56f3c3de3ce4 - < c12765e3f129b144421c80d3383df885f85ee290` affected `98e4da8ca301e062d79ae168c67e56f3c3de3ce4 - < f41ee8b91c00770d718be2ff4852a80017ae9ab3`
Linux	Linux	affected `3.8` unaffected `0 - < 3.8` unaffected `5.10.110 - <= 5.10.` unaffected `5.15.33 - <= 5.15.` unaffected `5.16.19 - <= 5.16.*` +2 more versions

References

https://git.kernel.org/stable/c/498b7088db71f9707359448cd6800bbb1882f4c3

https://git.kernel.org/stable/c/f68caedf264a95c0b02dfd0d9f92ac2637d5848a

https://git.kernel.org/stable/c/0748a0f7dcb9d9dddc80302d73ebcecef6782ef0

https://git.kernel.org/stable/c/c12765e3f129b144421c80d3383df885f85ee290

https://git.kernel.org/stable/c/f41ee8b91c00770d718be2ff4852a80017ae9ab3

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-49170

Description

Affected Products

References