vulnerability

Ubuntu: (CVE-2022-49276): linux vulnerability

Try Surface Command
Back to search
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:N/I:N/A:C)
Published
2025-02-26
Added
2025-03-03
Modified
2025-04-16

Description

In the Linux kernel, the following vulnerability has been resolved:

jffs2: fix memory leak in jffs2_scan_medium

If an error is returned in jffs2_scan_eraseblock() and some memory
has been added to the jffs2_summary *s, we can observe the following
kmemleak report:

--------------------------------------------
unreferenced object 0xffff88812b889c40 (size 64):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.
00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................
backtrace:
[] __kmalloc+0x613/0x910
[] jffs2_sum_add_dirent_mem+0x5c/0xa0
[] jffs2_scan_medium.cold+0x36e5/0x4794
[] jffs2_do_mount_fs.cold+0xa7/0x2267
[] jffs2_do_fill_super+0x383/0xc30
[] jffs2_fill_super+0x2ea/0x4c0
[] mtd_get_sb+0x254/0x400
[] mtd_get_sb_by_nr+0x4f/0xd0
[] get_tree_mtd+0x498/0x840
[] jffs2_get_tree+0x25/0x30
[] vfs_get_tree+0x8d/0x2e0
[] path_mount+0x50f/0x1e50
[] do_mount+0x107/0x130
[] __se_sys_mount+0x1c5/0x2f0
[] __x64_sys_mount+0xc7/0x160
[] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............
00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.
backtrace:
[] kmem_cache_alloc_trace+0x584/0x880
[] jffs2_sum_add_inode_mem+0x54/0x90
[] jffs2_scan_medium.cold+0x4481/0x4794
[...]
unreferenced object 0xffff888114b57280 (size 32):
comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
hex dump (first 32 bytes):
10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............
00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.
backtrace:
[] kmem_cache_alloc_trace+0x584/0x880
[] jffs2_sum_add_xattr_mem+0x54/0x90
[] jffs2_scan_medium.cold+0x298c/0x4794
[...]
unreferenced object 0xffff8881116cd510 (size 16):
comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
hex dump (first 16 bytes):
00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.
backtrace:
[] kmem_cache_alloc_trace+0x584/0x880
[] jffs2_sum_add_xref_mem+0x54/0x90
[] jffs2_scan_medium.cold+0x3a20/0x4794
[...]
--------------------------------------------

Therefore, we should call jffs2_sum_reset_collected(s) on exit to
release the memory added in s. In addition, a new tag "out_buf" is
added to prevent the NULL pointer reference caused by s being NULL.
(thanks to Zhang Yi for this analysis)

Solution(s)

ubuntu-upgrade-linuxubuntu-upgrade-linux-awsubuntu-upgrade-linux-aws-5-4ubuntu-upgrade-linux-aws-fipsubuntu-upgrade-linux-aws-hweubuntu-upgrade-linux-azureubuntu-upgrade-linux-azure-4-15ubuntu-upgrade-linux-azure-5-15ubuntu-upgrade-linux-azure-5-4ubuntu-upgrade-linux-azure-fipsubuntu-upgrade-linux-bluefieldubuntu-upgrade-linux-fipsubuntu-upgrade-linux-gcpubuntu-upgrade-linux-gcp-4-15ubuntu-upgrade-linux-gcp-5-4ubuntu-upgrade-linux-gcp-fipsubuntu-upgrade-linux-gkeubuntu-upgrade-linux-hweubuntu-upgrade-linux-hwe-5-15ubuntu-upgrade-linux-hwe-5-4ubuntu-upgrade-linux-ibmubuntu-upgrade-linux-ibm-5-4ubuntu-upgrade-linux-intel-iotgubuntu-upgrade-linux-intel-iotg-5-15ubuntu-upgrade-linux-iotubuntu-upgrade-linux-kvmubuntu-upgrade-linux-lowlatencyubuntu-upgrade-linux-lowlatency-hwe-5-15ubuntu-upgrade-linux-oracleubuntu-upgrade-linux-oracle-5-4ubuntu-upgrade-linux-raspiubuntu-upgrade-linux-raspi-5-4ubuntu-upgrade-linux-realtime

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today