DEBIAN-CVE-2022-49170
- Source
- https://security-tracker.debian.org/tracker/CVE-2022-49170
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-49170.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-49170
- Upstream
- Published
- 2025-02-26T07:00:54.110Z
- Modified
- 2025-11-20T10:16:13.944855Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on curseg->alloctype As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/showbug.cgi?id=215657 - Overview UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image - Reproduce tested on kernel 5.17-rc4, 5.17-rc6 1. mkdir testcrash 2. cd testcrash 3. unzip tmp2.zip 4. mkdir mnt 5. ./singletest.sh f2fs 2 - Kernel dump [ 46.434454] loop0: detected capacity change from 0 to 131072 [ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9 [ 46.738319] ================================================================================ [ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 [ 46.738475] index 231 is out of range for type 'unsigned int [2]' [ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1 [ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 46.738551] Call Trace: [ 46.738556] <TASK> [ 46.738563] dumpstacklvl+0x47/0x5c [ 46.738581] ubsanepilogue+0x5/0x50 [ 46.738592] __ubsanhandleout_ofbounds+0x68/0x80 [ 46.738604] f2fsallocatedatablock+0xdff/0xe60 [f2fs] [ 46.738819] dowritepage+0xef/0x210 [f2fs] [ 46.738934] f2fsdowritenodepage+0x3f/0x80 [f2fs] [ 46.739038] __writenodepage+0x2b7/0x920 [f2fs] [ 46.739162] f2fs_syncnodepages+0x943/0xb00 [f2fs] [ 46.739293] f2fswritecheckpoint+0x7bb/0x1030 [f2fs] [ 46.739405] killf2fssuper+0x125/0x150 [f2fs] [ 46.739507] deactivatelockedsuper+0x60/0xc0 [ 46.739517] deactivatesuper+0x70/0xb0 [ 46.739524] cleanupmnt+0x11a/0x200 [ 46.739532] _cleanupmnt+0x16/0x20 [ 46.739538] taskworkrun+0x67/0xa0 [ 46.739547] exittousermodeprepare+0x18c/0x1a0 [ 46.739559] syscallexittousermode+0x26/0x40 [ 46.739568] dosyscall64+0x46/0xb0 [ 46.739584] entrySYSCALL64afterhwframe+0x44/0xae The root cause is we missed to do sanity check on curseg->alloctype, result in out-of-bound accessing on sbi->blockcount[] array, fix it.
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.113-1
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source