ghsa-9f9g-3975-x384
Vulnerability from github
Published
2025-09-16 18:31
Modified
2025-09-16 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix null-ptr-deref in ext4_write_info

I caught a null-ptr-deref bug as follows:

KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339 RIP: 0010:ext4_write_info+0x53/0x1b0 [...] Call Trace: dquot_writeback_dquots+0x341/0x9a0 ext4_sync_fs+0x19e/0x800 __sync_filesystem+0x83/0x100 sync_filesystem+0x89/0xf0 generic_shutdown_super+0x79/0x3e0 kill_block_super+0xa1/0x110 deactivate_locked_super+0xac/0x130 deactivate_super+0xb6/0xd0 cleanup_mnt+0x289/0x400 __cleanup_mnt+0x16/0x20 task_work_run+0x11c/0x1c0 exit_to_user_mode_prepare+0x203/0x210 syscall_exit_to_user_mode+0x5b/0x3a0 do_syscall_64+0x59/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ==================================================================

Above issue may happen as follows:

exit_to_user_mode_prepare task_work_run __cleanup_mnt cleanup_mnt deactivate_super deactivate_locked_super kill_block_super generic_shutdown_super shrink_dcache_for_umount dentry = sb->s_root sb->s_root = NULL <--- Here set NULL sync_filesystem __sync_filesystem sb->s_op->sync_fs > ext4_sync_fs dquot_writeback_dquots sb->dq_op->write_info > ext4_write_info ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2) d_inode(sb->s_root) s_root->d_inode <--- Null pointer dereference

To solve this problem, we use ext4_journal_start_sb directly to avoid s_root being used.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50344"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T17:15:34Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix null-ptr-deref in ext4_write_info\n\nI caught a null-ptr-deref bug as follows:\n==================================================================\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339\nRIP: 0010:ext4_write_info+0x53/0x1b0\n[...]\nCall Trace:\n dquot_writeback_dquots+0x341/0x9a0\n ext4_sync_fs+0x19e/0x800\n __sync_filesystem+0x83/0x100\n sync_filesystem+0x89/0xf0\n generic_shutdown_super+0x79/0x3e0\n kill_block_super+0xa1/0x110\n deactivate_locked_super+0xac/0x130\n deactivate_super+0xb6/0xd0\n cleanup_mnt+0x289/0x400\n __cleanup_mnt+0x16/0x20\n task_work_run+0x11c/0x1c0\n exit_to_user_mode_prepare+0x203/0x210\n syscall_exit_to_user_mode+0x5b/0x3a0\n do_syscall_64+0x59/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n ==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\nexit_to_user_mode_prepare\n task_work_run\n  __cleanup_mnt\n   cleanup_mnt\n    deactivate_super\n     deactivate_locked_super\n      kill_block_super\n       generic_shutdown_super\n        shrink_dcache_for_umount\n         dentry = sb-\u003es_root\n         sb-\u003es_root = NULL              \u003c--- Here set NULL\n        sync_filesystem\n         __sync_filesystem\n          sb-\u003es_op-\u003esync_fs \u003e ext4_sync_fs\n           dquot_writeback_dquots\n            sb-\u003edq_op-\u003ewrite_info \u003e ext4_write_info\n             ext4_journal_start(d_inode(sb-\u003es_root), EXT4_HT_QUOTA, 2)\n              d_inode(sb-\u003es_root)\n               s_root-\u003ed_inode          \u003c--- Null pointer dereference\n\nTo solve this problem, we use ext4_journal_start_sb directly\nto avoid s_root being used.",
  "id": "GHSA-9f9g-3975-x384",
  "modified": "2025-09-16T18:31:25Z",
  "published": "2025-09-16T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50344"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a657319cfabd6199fd0b7b65bbebf6ded7a11c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/533c60a0b97cee5daab376933f486207e6680fb7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/947264e00c46de19a016fd81218118c708fed2f3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bb420e8afc854d2a1caaa23a0c129839acfb7888"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc451578446afd03c0c21913993c08898a691435"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f34ab95162763cd7352f46df169296eec28b688d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4b5ff0b794aa94afac7269c494550ca2f66511b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9c1f248607d5546075d3f731e7607d5571f2b60"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.