CVE-2022-49282 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
f2fs: quota: fix loop condition at f2fs_quota_sync()
cnt should be passed to sb_has_quota_active() instead of type to check active quota properly.
Moreover, when the type is -1, the compiler with enough inline knowledge can discard sb_has_quota_active() check altogether, causing a NULL pointer dereference at the following inode_lock(dqopt->files[cnt]):
[ 2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 2.796024] Mem abort info:
[ 2.796025] ESR = 0x96000005
[ 2.796028] EC = 0x25: DABT (current EL), IL = 32 bits
[ 2.796029] SET = 0, FnV = 0
[ 2.796031] EA = 0, S1PTW = 0
[ 2.796032] Data abort info:
[ 2.796034] ISV = 0, ISS = 0x00000005
[ 2.796035] CM = 0, WnR = 0
[ 2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000
[ 2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000
[ 2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S 5.4.179-arter97-r8-64666-g2f16e087f9d8 #1
[ 2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT)
[ 2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO)
[ 2.796065] pc : down_write+0x28/0x70
[ 2.796070] lr : f2fs_quota_sync+0x100/0x294
[ 2.796071] sp : ffffffa3f48ffc30
[ 2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000
[ 2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80
[ 2.796077] x25: ffffffa3f7290048 x24: 0000000000000001
[ 2.796078] x23: 0000000000000000 x22: ffffffa3f7290000
[ 2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110
[ 2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038
[ 2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0
[ 2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0
[ 2.796086] x13: 00000000000004f6 x12: 00162c44ff493000
[ 2.796088] x11: 0000000000000400 x10: ffffffa40e38c948
[ 2.796090] x9 : 0000000000000000 x8 : 00000000000000a0
[ 2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a
[ 2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d
[ 2.796094] x3 : 00000000060c0000 x2 : 0000000000000001
[ 2.796096] x1 : 0000000000000000 x0 : 00000000000000a0
[ 2.796098] Call trace:
[ 2.796100] down_write+0x28/0x70
[ 2.796102] f2fs_quota_sync+0x100/0x294
[ 2.796104] block_operations+0x120/0x204
[ 2.796106] f2fs_write_checkpoint+0x11c/0x520
[ 2.796107] __checkpoint_and_complete_reqs+0x7c/0xd34
[ 2.796109] issue_checkpoint_thread+0x6c/0xb8
[ 2.796112] kthread+0x138/0x414
[ 2.796114] ret_from_fork+0x10/0x18
[ 2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02)
[ 2.796120] ---[ end trace 96e942e8eb6a0b53 ]---
[ 2.800116] Kernel panic - not syncing: Fatal exception
[ 2.800120] SMP: stopping secondary CPUs
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/15/2025
The vulnerability described in CVE-2022-49282 affects the F2FS (Flash-Friendly File System) implementation within the Linux kernel, specifically during quota synchronization operations. This flaw manifests as a NULL pointer dereference that occurs when the function f2fs_quota_sync() processes quota data for filesystems that support user and group quotas. The root cause lies in an incorrect parameter being passed to the sb_has_quota_active() function, where the variable cnt should be used instead of type. This parameter misassignment leads to improper validation of active quota states, particularly when the type parameter is set to -1, which allows the compiler to optimize away the necessary quota check entirely.
The technical execution of this vulnerability occurs during kernel execution when the checkpoint thread attempts to synchronize quota information. When cnt is incorrectly passed as type to sb_has_quota_active(), the function fails to properly determine whether quotas are active for a given filesystem. This results in a path where the code assumes quotas are active even when they are not, leading to a subsequent NULL pointer dereference at inode_lock(dqopt->files[cnt]). The crash happens because dqopt->files[cnt] points to a NULL value when quotas are not properly initialized or active, causing the kernel to attempt to access invalid memory at address 0x00000000000000a0. The stack trace reveals the call path leading to the fault through down_write() which is invoked during the quota synchronization process, indicating that the issue originates from improper resource locking in the quota subsystem.
This vulnerability represents a critical security risk within the Linux kernel, potentially allowing for system crashes or, in more sophisticated exploitation scenarios, privilege escalation. The flaw directly impacts the stability and reliability of systems using F2FS filesystems, particularly those employing quota management features. According to CWE classification, this maps to CWE-476: NULL Pointer Dereference, which is a fundamental memory safety issue that can lead to system instability. The vulnerability also aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, as improper handling of kernel memory can potentially be leveraged to gain elevated privileges. The issue is particularly concerning in embedded systems and mobile devices that utilize F2FS, such as the Qualcomm Lahaina MTP platform referenced in the crash report, where kernel stability is paramount for device functionality. The flaw essentially allows for a denial of service condition that can be triggered by normal filesystem operations involving quota synchronization.
The recommended mitigation for CVE-2022-49282 involves applying the kernel patch that corrects the parameter passing in the f2fs_quota_sync() function. This fix ensures that cnt is properly passed to sb_has_quota_active() instead of type, thereby maintaining correct quota state checking. System administrators should update to kernel versions containing the patch, particularly those that include the specific fix for the F2FS quota synchronization logic. For environments where immediate kernel updates are not feasible, monitoring for filesystem checkpoint activity and implementing proper system watchdogs can help detect and recover from potential crashes. Additionally, organizations should review their F2FS usage patterns and ensure that quota management features are properly configured to avoid triggering the faulty code path. The fix demonstrates the importance of parameter validation in kernel code and the critical nature of proper quota state management in filesystem implementations.