CVE-2022-49464
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49464
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49464.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49464
- Downstream
- Published
- 2025-02-26T02:13:10.321Z
- Modified
- 2025-11-19T15:03:37.403589Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- erofs: fix buffer copy overflow of ztailpacking feature
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix buffer copy overflow of ztailpacking feature
I got some KASAN report as below:
[ 46.959738] ================================================================== [ 46.960430] BUG: KASAN: use-after-free in zerofsshiftedtransform+0x2bd/0x370 [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188 ... [ 46.960430] Call Trace: [ 46.960430] <TASK> [ 46.960430] dumpstacklvl+0x41/0x5e [ 46.960430] printreport.cold+0xb2/0x6b7 [ 46.960430] ? zerofsshiftedtransform+0x2bd/0x370 [ 46.960430] kasanreport+0x8a/0x140 [ 46.960430] ? zerofsshiftedtransform+0x2bd/0x370 [ 46.960430] kasancheckrange+0x14d/0x1d0 [ 46.960430] memcpy+0x20/0x60 [ 46.960430] zerofsshiftedtransform+0x2bd/0x370 [ 46.960430] zerofsdecompress_pcluster+0xaae/0x1080
The root cause is that the tail pcluster won't be a complete filesystem block anymore. So if ztailpacking is used, the second part of an uncompressed tail pcluster may not be
rq->pageofs_out. - References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedab749badf9f41f32509cd103391b81ea7e684b76Fixed4d53a625f29074e7b8236c2c0e0922edb7608df9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedab749badf9f41f32509cd103391b81ea7e684b76Fixed6b59e1907f58cf877c563dcf013159eb9f994b64
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedab749badf9f41f32509cd103391b81ea7e684b76Fixeddcbe6803fffd387f72b48c2373b5f5ed12a5804b
Affected versions
v5.*
Database specific
vanir_signatures
[
{
"id": "CVE-2022-49464-88d6244a",
"target": {
"file": "fs/erofs/decompressor.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"236036515830488140961891649629195354859",
"150495830330034177225581675782136589067",
"282353820691550813755106848634241011766",
"40010096100933864055392804002704123074",
"164532410623264446901251574636471609214",
"240522390772764144735548422265179188534",
"218370244276760176010991797514825972128",
"276977896474779397171429144908898635318",
"201120918390560561092957719735885192458",
"213790711655420078011573199766382080909",
"209630754764801117131584732502309302638"
]
},
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4d53a625f29074e7b8236c2c0e0922edb7608df9",
"signature_version": "v1"
},
{
"id": "CVE-2022-49464-b43b9985",
"target": {
"file": "fs/erofs/decompressor.c",
"function": "z_erofs_shifted_transform"
},
"digest": {
"function_hash": "160243789755671414605281990173963614771",
"length": 968.0
},
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4d53a625f29074e7b8236c2c0e0922edb7608df9",
"signature_version": "v1"
}
]