CVE-2022-49276 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
jffs2: fix memory leak in jffs2_scan_medium
If an error is returned in jffs2_scan_eraseblock() and some memory has been added to the jffs2_summary *s, we can observe the following kmemleak report:
-------------------------------------------- unreferenced object 0xffff88812b889c40 (size 64): comm "mount", pid 692, jiffies 4294838325 (age 34.288s) hex dump (first 32 bytes): 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P. 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................ backtrace: [] __kmalloc+0x613/0x910
[] jffs2_sum_add_dirent_mem+0x5c/0xa0
[] jffs2_scan_medium.cold+0x36e5/0x4794
[] jffs2_do_mount_fs.cold+0xa7/0x2267
[] jffs2_do_fill_super+0x383/0xc30
[] jffs2_fill_super+0x2ea/0x4c0
[] mtd_get_sb+0x254/0x400
[] mtd_get_sb_by_nr+0x4f/0xd0
[] get_tree_mtd+0x498/0x840
[] jffs2_get_tree+0x25/0x30
[] vfs_get_tree+0x8d/0x2e0
[] path_mount+0x50f/0x1e50
[] do_mount+0x107/0x130
[] __se_sys_mount+0x1c5/0x2f0
[] __x64_sys_mount+0xc7/0x160
[] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32): comm "mount", pid 692, jiffies 4294838325 (age 34.288s) hex dump (first 32 bytes): c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u.............. 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk. backtrace: [] kmem_cache_alloc_trace+0x584/0x880
[] jffs2_sum_add_inode_mem+0x54/0x90
[] jffs2_scan_medium.cold+0x4481/0x4794
[...]
unreferenced object 0xffff888114b57280 (size 32): comm "mount", pid 692, jiffies 4294838393 (age 34.357s) hex dump (first 32 bytes): 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l............. 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk. backtrace: [] kmem_cache_alloc_trace+0x584/0x880
[] jffs2_sum_add_xattr_mem+0x54/0x90
[] jffs2_scan_medium.cold+0x298c/0x4794
[...]
unreferenced object 0xffff8881116cd510 (size 16): comm "mount", pid 692, jiffies 4294838395 (age 34.355s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k. backtrace: [] kmem_cache_alloc_trace+0x584/0x880
[] jffs2_sum_add_xref_mem+0x54/0x90
[] jffs2_scan_medium.cold+0x3a20/0x4794
[...]
--------------------------------------------
Therefore, we should call jffs2_sum_reset_collected(s) on exit to release the memory added in s. In addition, a new tag "out_buf" is added to prevent the NULL pointer reference caused by s being NULL. (thanks to Zhang Yi for this analysis)
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/26/2025
The vulnerability described in CVE-2022-49276 represents a memory leak within the jffs2 file system implementation of the Linux kernel. This issue occurs during the jffs2_scan_medium function execution when errors are encountered in jffs2_scan_eraseblock(), leading to unreferenced memory allocations that persist in kernel memory. The problem manifests through kmemleak reports showing four distinct memory objects that remain unreferenced after the error path execution, indicating a failure to properly clean up allocated memory structures. The affected memory regions include summary data structures for directory entries, inodes, extended attributes, and cross-references, all of which are allocated during the scanning process but not properly released when errors occur.
The technical flaw stems from inadequate error handling in the jffs2 file system code where memory is allocated to jffs2_summary structures but not freed when subsequent operations fail. This memory leak pattern directly aligns with CWE-401, which describes improper handling of memory allocation failures leading to resource leaks. The vulnerability specifically affects the jffs2_scan_medium function and its interaction with jffs2_scan_eraseblock, where the error propagation path does not include proper cleanup of summary structures. The memory leak occurs because the code fails to call jffs2_sum_reset_collected(s) when exiting the function, leaving allocated memory in the summary structure unreferenced and unavailable for reuse.
The operational impact of this vulnerability extends beyond simple memory consumption, as persistent memory leaks can eventually lead to system instability and performance degradation. In resource-constrained environments or systems with frequent jffs2 mount operations, these memory leaks accumulate over time and could potentially contribute to system memory exhaustion. The vulnerability is particularly concerning for embedded systems and devices that rely heavily on jffs2 file systems, where memory resources are typically limited. The memory leak affects the kernel's memory management subsystem and can contribute to broader system reliability issues, especially in long-running systems where the cumulative effect of multiple memory leaks becomes significant.
Mitigation strategies for CVE-2022-49276 involve implementing proper error handling and memory cleanup mechanisms within the jffs2 file system code. The fix requires adding a call to jffs2_sum_reset_collected(s) before function exit to ensure all allocated memory within the summary structure is properly released. Additionally, the introduction of an "out_buf" tag prevents NULL pointer dereferences that could occur when the summary structure itself is NULL. This solution follows established security practices for memory management and aligns with ATT&CK technique T1070.004, which covers the use of system logs and debugging tools to identify memory management issues. The patch addresses the root cause by ensuring that all allocated resources are properly cleaned up regardless of execution path taken, preventing the accumulation of unreferenced memory objects that characterize this vulnerability.