CVE-2022-49170
- Source
- https://cve.org/CVERecord?id=CVE-2022-49170
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49170.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49170
- Downstream
- Published
- 2025-02-26T01:55:27.562Z
- Modified
- 2026-03-11T04:11:29.457826Z
- Summary
- f2fs: fix to do sanity check on curseg->alloc_type
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on curseg->alloc_type
As Wenqing Liu reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=215657
Overview UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image
Reproduce tested on kernel 5.17-rc4, 5.17-rc6
- mkdir test_crash
- cd test_crash
- unzip tmp2.zip
- mkdir mnt
- ./single_test.sh f2fs 2
- Kernel dump [ 46.434454] loop0: detected capacity change from 0 to 131072 [ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9 [ 46.738319] ================================================================================ [ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 [ 46.738475] index 231 is out of range for type 'unsigned int [2]' [ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1 [ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 46.738551] Call Trace: [ 46.738556] <TASK> [ 46.738563] dumpstacklvl+0x47/0x5c [ 46.738581] ubsan_epilogue+0x5/0x50 [ 46.738592] __ubsanhandleoutofbounds+0x68/0x80 [ 46.738604] f2fsallocatedatablock+0xdff/0xe60 [f2fs] [ 46.738819] dowritepage+0xef/0x210 [f2fs] [ 46.738934] f2fsdowritenode_page+0x3f/0x80 [f2fs] [ 46.739038] __writenodepage+0x2b7/0x920 [f2fs] [ 46.739162] f2fssyncnodepages+0x943/0xb00 [f2fs] [ 46.739293] f2fswritecheckpoint+0x7bb/0x1030 [f2fs] [ 46.739405] killf2fssuper+0x125/0x150 [f2fs] [ 46.739507] deactivatelockedsuper+0x60/0xc0 [ 46.739517] deactivatesuper+0x70/0xb0 [ 46.739524] cleanup_mnt+0x11a/0x200 [ 46.739532] _cleanupmnt+0x16/0x20 [ 46.739538] taskworkrun+0x67/0xa0 [ 46.739547] exittousermodeprepare+0x18c/0x1a0 [ 46.739559] syscallexittousermode+0x26/0x40 [ 46.739568] dosyscall64+0x46/0xb0 [ 46.739584] entrySYSCALL64afterhwframe+0x44/0xae
The root cause is we missed to do sanity check on curseg->alloctype, result in out-of-bound accessing on sbi->blockcount[] array, fix it.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49170.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0748a0f7dcb9d9dddc80302d73ebcecef6782ef0
- https://git.kernel.org/stable/c/498b7088db71f9707359448cd6800bbb1882f4c3
- https://git.kernel.org/stable/c/c12765e3f129b144421c80d3383df885f85ee290
- https://git.kernel.org/stable/c/f41ee8b91c00770d718be2ff4852a80017ae9ab3
- https://git.kernel.org/stable/c/f68caedf264a95c0b02dfd0d9f92ac2637d5848a
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49170.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-49170
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced98e4da8ca301e062d79ae168c67e56f3c3de3ce4Fixed498b7088db71f9707359448cd6800bbb1882f4c3Fixedf68caedf264a95c0b02dfd0d9f92ac2637d5848aFixed0748a0f7dcb9d9dddc80302d73ebcecef6782ef0Fixedc12765e3f129b144421c80d3383df885f85ee290Fixedf41ee8b91c00770d718be2ff4852a80017ae9ab3
Affected versions
v3.*
v3.10
v3.10-rc1
v3.10-rc2
v3.10-rc3
v3.10-rc4
v3.10-rc5
v3.10-rc6
v3.10-rc7
v3.11
v3.11-rc1
v3.11-rc2
v3.11-rc3
v3.11-rc4
v3.11-rc5
v3.11-rc6
v3.11-rc7
v3.12
v3.12-rc1
v3.12-rc2
v3.12-rc3
v3.12-rc4
v3.12-rc5
v3.12-rc6
v3.12-rc7
v3.13
v3.13-rc1
v3.13-rc2
v3.13-rc3
v3.13-rc4
v3.13-rc5
v3.13-rc6
v3.13-rc7
v3.13-rc8
v3.14
v3.14-rc1
v3.14-rc2
v3.14-rc3
v3.14-rc4
v3.14-rc5
v3.14-rc6
v3.14-rc7
v3.14-rc8
v3.15
v3.15-rc1
v3.15-rc2
v3.15-rc3
v3.15-rc4
v3.15-rc5
v3.15-rc6
v3.15-rc7
v3.15-rc8
v3.16
v3.16-rc1
v3.16-rc2
v3.16-rc3
v3.16-rc4
v3.16-rc5
v3.16-rc6
v3.16-rc7
v3.17
v3.17-rc1
v3.17-rc2
v3.17-rc3
v3.17-rc4
v3.17-rc5
v3.17-rc6
v3.17-rc7
v3.18
v3.18-rc1
v3.18-rc2
v3.18-rc3
v3.18-rc4
v3.18-rc5
v3.18-rc6
v3.18-rc7
v3.19
v3.19-rc1
v3.19-rc2
v3.19-rc3
v3.19-rc4
v3.19-rc5
v3.19-rc6
v3.19-rc7
v3.8
v3.8-rc1
v3.8-rc2
v3.8-rc3
v3.8-rc4
v3.8-rc5
v3.8-rc6
v3.8-rc7
v3.9
v3.9-rc1
v3.9-rc2
v3.9-rc3
v3.9-rc4
v3.9-rc5
v3.9-rc6
v3.9-rc7
v3.9-rc8
v4.*
v4.0
v4.0-rc1
v4.0-rc2
v4.0-rc3
v4.0-rc4
v4.0-rc5
v4.0-rc6
v4.0-rc7
v4.1
v4.1-rc1
v4.1-rc2
v4.1-rc3
v4.1-rc4
v4.1-rc5
v4.1-rc6
v4.1-rc7
v4.1-rc8
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.2
v4.2-rc1
v4.2-rc2
v4.2-rc3
v4.2-rc4
v4.2-rc5
v4.2-rc6
v4.2-rc7
v4.2-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.3
v4.3-rc1
v4.3-rc2
v4.3-rc3
v4.3-rc4
v4.3-rc5
v4.3-rc6
v4.3-rc7
v4.4
v4.4-rc1
v4.4-rc2
v4.4-rc3
v4.4-rc4
v4.4-rc5
v4.4-rc6
v4.4-rc7
v4.4-rc8
v4.5
v4.5-rc1
v4.5-rc2
v4.5-rc3
v4.5-rc4
v4.5-rc5
v4.5-rc6
v4.5-rc7
v4.6
v4.6-rc1
v4.6-rc2
v4.6-rc3
v4.6-rc4
v4.6-rc5
v4.6-rc6
v4.6-rc7
v4.7
v4.7-rc1
v4.7-rc2
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.106
v5.10.107
v5.10.108
v5.10.109
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49170.json"
vanir_signatures
[
{
"id": "CVE-2022-49170-1a9ac9df",
"digest": {
"line_hashes": [
"125037466769412603611892722689196968580",
"31280801685353181003669148493616420491",
"224881338185054825678590352434737777868"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f68caedf264a95c0b02dfd0d9f92ac2637d5848a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c"
}
},
{
"id": "CVE-2022-49170-69a80d24",
"digest": {
"line_hashes": [
"120952476039336894013159334001230539390",
"149905902320396906693274339061822612067",
"224881338185054825678590352434737777868"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@498b7088db71f9707359448cd6800bbb1882f4c3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c"
}
},
{
"id": "CVE-2022-49170-6ca5e3ca",
"digest": {
"function_hash": "204665229547502981925445953349196578340",
"length": 855.0
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c12765e3f129b144421c80d3383df885f85ee290",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c",
"function": "sanity_check_curseg"
}
},
{
"id": "CVE-2022-49170-75c3bdd1",
"digest": {
"function_hash": "204665229547502981925445953349196578340",
"length": 855.0
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f41ee8b91c00770d718be2ff4852a80017ae9ab3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c",
"function": "sanity_check_curseg"
}
},
{
"id": "CVE-2022-49170-87e34321",
"digest": {
"line_hashes": [
"125037466769412603611892722689196968580",
"31280801685353181003669148493616420491",
"224881338185054825678590352434737777868"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f41ee8b91c00770d718be2ff4852a80017ae9ab3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c"
}
},
{
"id": "CVE-2022-49170-a24d5b24",
"digest": {
"function_hash": "5621030566992158023042850511483346154",
"length": 766.0
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@498b7088db71f9707359448cd6800bbb1882f4c3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c",
"function": "sanity_check_curseg"
}
},
{
"id": "CVE-2022-49170-a746657b",
"digest": {
"line_hashes": [
"125037466769412603611892722689196968580",
"31280801685353181003669148493616420491",
"224881338185054825678590352434737777868"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0748a0f7dcb9d9dddc80302d73ebcecef6782ef0",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c"
}
},
{
"id": "CVE-2022-49170-cb5578c3",
"digest": {
"function_hash": "204665229547502981925445953349196578340",
"length": 855.0
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0748a0f7dcb9d9dddc80302d73ebcecef6782ef0",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c",
"function": "sanity_check_curseg"
}
},
{
"id": "CVE-2022-49170-ce0fb0b4",
"digest": {
"function_hash": "204665229547502981925445953349196578340",
"length": 855.0
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f68caedf264a95c0b02dfd0d9f92ac2637d5848a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c",
"function": "sanity_check_curseg"
}
},
{
"id": "CVE-2022-49170-d63a4c55",
"digest": {
"line_hashes": [
"125037466769412603611892722689196968580",
"31280801685353181003669148493616420491",
"224881338185054825678590352434737777868"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c12765e3f129b144421c80d3383df885f85ee290",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.c"
}
}
]