Cyber Posture

CVE-2022-49464

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: erofs: fix buffer copy overflow of ztailpacking feature I got some KASAN report as below: [ 46.959738] ================================================================== [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188 ... [ 46.960430] Call Trace: [ 46.960430] <TASK> [ 46.960430] dump_stack_lvl+0x41/0x5e [ 46.960430] print_report.cold+0xb2/0x6b7 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_report+0x8a/0x140 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_check_range+0x14d/0x1d0 [ 46.960430] memcpy+0x20/0x60 [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080 The root cause is that the tail pcluster won't be a complete filesystem block anymore. So if ztailpacking is used, the second part of an uncompressed tail pcluster may not be ``rq->pageofs_out``.

Security Summary

CVE-2022-49464 is a use-after-free vulnerability in the Linux kernel's EROFS filesystem implementation, specifically affecting the ztailpacking feature. The issue arises because the tail pcluster may not align with a complete filesystem block after decompression, causing the second part of an uncompressed tail pcluster to reference an invalid offset (rq->pageofs_out). This was detected via a KASAN report during a memcpy operation in z_erofs_shifted_transform, triggered within z_erofs_decompress_pcluster. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes on systems using affected EROFS images with ztailpacking enabled.

Mitigation involves applying the upstream kernel patches provided in the stable commit references, including 4d53a625f29074e7b8236c2c0e0922edb7608df9, 6b59e1907f58cf877c563dcf013159eb9f994b64, and dcbe6803fffd387f72b48c2373b5f5ed12a5804b, which resolve the buffer copy overflow by correctly handling tail pcluster offsets in the ztailpacking code path.

Details

CWE(s)
CWE-416

Affected Products

linux
linux kernel
5.17 — 5.17.14 · 5.18 — 5.18.3

References