CVE-2022-50344

EUVD-2022-55618
In the Linux kernel, the following vulnerability has been resolved:

ext4: fix null-ptr-deref in ext4_write_info

I caught a null-ptr-deref bug as follows:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339
RIP: 0010:ext4_write_info+0x53/0x1b0
[...]
Call Trace:
 dquot_writeback_dquots+0x341/0x9a0
 ext4_sync_fs+0x19e/0x800
 __sync_filesystem+0x83/0x100
 sync_filesystem+0x89/0xf0
 generic_shutdown_super+0x79/0x3e0
 kill_block_super+0xa1/0x110
 deactivate_locked_super+0xac/0x130
 deactivate_super+0xb6/0xd0
 cleanup_mnt+0x289/0x400
 __cleanup_mnt+0x16/0x20
 task_work_run+0x11c/0x1c0
 exit_to_user_mode_prepare+0x203/0x210
 syscall_exit_to_user_mode+0x5b/0x3a0
 do_syscall_64+0x59/0x70
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
 ==================================================================

Above issue may happen as follows:
-------------------------------------
exit_to_user_mode_prepare
 task_work_run
  __cleanup_mnt
   cleanup_mnt
    deactivate_super
     deactivate_locked_super
      kill_block_super
       generic_shutdown_super
        shrink_dcache_for_umount
         dentry = sb->s_root
         sb->s_root = NULL              <--- Here set NULL
        sync_filesystem
         __sync_filesystem
          sb->s_op->sync_fs > ext4_sync_fs
           dquot_writeback_dquots
            sb->dq_op->write_info > ext4_write_info
             ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2)
              d_inode(sb->s_root)
               s_root->d_inode          <--- Null pointer dereference

To solve this problem, we use ext4_journal_start_sb directly
to avoid s_root being used.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
𝑥
< 4.9.331
linuxlinux_kernel
4.10 ≤
𝑥
< 4.14.296
linuxlinux_kernel
4.15 ≤
𝑥
< 4.19.262
linuxlinux_kernel
4.20 ≤
𝑥
< 5.4.220
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.150
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.75
linuxlinux_kernel
5.16 ≤
𝑥
< 5.19.17
linuxlinux_kernel
6.0 ≤
𝑥
< 6.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.148-1
fixed
bookworm (security)
6.1.147-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.237-1
fixed
forky
6.16.3-1
fixed
sid
6.16.7-1
fixed
trixie
6.12.43-1
fixed
trixie (security)
6.12.41-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-64kb
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-default-base
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP3
5.3.18-150300.59.221.1.150300.18.132.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1.150400.24.92.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1.150500.6.59.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
kernel-docs
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-macros
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-obs-build
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-preempt
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
kernel-source
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-syms
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
kernel-zfcpdump
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.275.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP3
5.3.18-150300.59.221.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.179.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.124.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:7.0.0-284.11.1.el9_2
fixed
kernel
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-core
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-debug
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-debug-core
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-debug-devel
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-debug-devel-matched
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-debug-modules
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-debug-modules-core
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-debug-modules-extra
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-devel
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-devel-matched
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-modules
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-modules-core
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-64k-modules-extra
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-abi-stablelists
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-core
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug-core
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug-devel
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug-devel-matched
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug-modules
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug-modules-core
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug-modules-extra
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-debug-uki-virt
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-devel
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-devel-matched
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-doc
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-modules
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-modules-core
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-modules-extra
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-tools
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-tools-libs
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-tools-libs-devel
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-uki-virt
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-zfcpdump
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-zfcpdump-core
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-zfcpdump-devel
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-zfcpdump-devel-matched
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-zfcpdump-modules
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-zfcpdump-modules-core
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
kernel-zfcpdump-modules-extra
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
perf
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
python3-perf
RHEL 8
0:4.18.0-553.el8_10
fixed
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
rtla
RHEL 9
0:5.14.0-284.11.1.el9_2
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4
https://git.kernel.org/stable/c/4a657319cfabd6199fd0b7b65bbebf6ded7a11c1
https://git.kernel.org/stable/c/533c60a0b97cee5daab376933f486207e6680fb7
https://git.kernel.org/stable/c/947264e00c46de19a016fd81218118c708fed2f3
https://git.kernel.org/stable/c/bb420e8afc854d2a1caaa23a0c129839acfb7888
https://git.kernel.org/stable/c/dc451578446afd03c0c21913993c08898a691435
https://git.kernel.org/stable/c/f34ab95162763cd7352f46df169296eec28b688d
https://git.kernel.org/stable/c/f4b5ff0b794aa94afac7269c494550ca2f66511b
https://git.kernel.org/stable/c/f9c1f248607d5546075d3f731e7607d5571f2b60