CVE-2022-49464 Information

Description

In the Linux kernel the following vulnerability has been resolved:

erofs: fix buffer copy overflow of ztailpacking feature

I got some KASAN report as below:

[ 46.959738] ================================================================== [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188 … [ 46.960430] Call Trace: [ 46.960430] [ 46.960430] dump_stack_lvl+0x41/0x5e [ 46.960430] print_report.cold+0xb2/0x6b7 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_report+0x8a/0x140 [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] kasan_check_range+0x14d/0x1d0 [ 46.960430] memcpy+0x20/0x60 [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370 [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080

The root cause is that the tail pcluster won’t be a complete filesystem block anymore. So if ztailpacking is used the second part of an uncompressed tail pcluster may not be rq->pageofs_out.

Reference

https://git.kernel.org/stable/c/4d53a625f29074e7b8236c2c0e0922edb7608df9 https://git.kernel.org/stable/c/6b59e1907f58cf877c563dcf013159eb9f994b64 https://git.kernel.org/stable/c/dcbe6803fffd387f72b48c2373b5f5ed12a5804b