CVE-2022-49363

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on block address in f2fs_do_zero_range() As Yanming reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215894 I have encountered a bug in F2FS file system in kernel v5.17. I have uploaded the system call sequence as case.c, and a fuzzed image can be found in google net disk The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can reproduce the bug by running the following commands: kernel BUG at fs/f2fs/segment.c:2291! Call Trace: f2fs_invalidate_blocks+0x193/0x2d0 f2fs_fallocate+0x2593/0x4a70 vfs_fallocate+0x2a5/0xac0 ksys_fallocate+0x35/0x70 __x64_sys_fallocate+0x8e/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is, after image was fuzzed, block mapping info in inode will be inconsistent with SIT table, so in f2fs_fallocate(), it will cause panic when updating SIT with invalid blkaddr. Let's fix the issue by adding sanity check on block address before updating SIT table with it.

CVSS Score

Affected Products

References

• https://git.kernel.org/stable/c/25f8236213a91efdf708b9d77e9e51b6fc3e141cPatch
• https://git.kernel.org/stable/c/470493be19a5730ed432e3ac0f29a2ee7fc6c557Patch
• https://git.kernel.org/stable/c/7361c9f2bd6a8f0cbb41cdea9aff04765ff23f67Patch
• https://git.kernel.org/stable/c/805b48b234a2803cb7daec7f158af12f0fbaefacPatch
• https://git.kernel.org/stable/c/a34d7b49894b0533222188a52e2958750f830efdPatch
• https://git.kernel.org/stable/c/f2e1c38b5ac64eb1a16a89c52fb419409d12c25bPatch