CVE-2022-49464 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix buffer copy overflow of ztailpacking feature
I got some KASAN report as below:
[ 46.959738] ==================================================================
[ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370
[ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188
... [ 46.960430] Call Trace:
[ 46.960430]
[ 46.960430] dump_stack_lvl+0x41/0x5e
[ 46.960430] print_report.cold+0xb2/0x6b7
[ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370
[ 46.960430] kasan_report+0x8a/0x140
[ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370
[ 46.960430] kasan_check_range+0x14d/0x1d0
[ 46.960430] memcpy+0x20/0x60
[ 46.960430] z_erofs_shifted_transform+0x2bd/0x370
[ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080
The root cause is that the tail pcluster won't be a complete filesystem block anymore. So if ztailpacking is used, the second part of an uncompressed tail pcluster may not be ``rq->pageofs_out``.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/25/2025
The vulnerability CVE-2022-49464 represents a critical buffer overflow flaw within the Linux kernel's erofs filesystem implementation, specifically affecting the ztailpacking feature functionality. This issue manifests as a use-after-free condition during decompression operations, where the kernel attempts to access memory that has already been freed, leading to potential system instability and security implications. The vulnerability stems from improper handling of partial filesystem blocks when the ztailpacking optimization is employed, creating a scenario where memory boundaries are exceeded during data copying operations. The KASAN (Kernel Address Sanitizer) reports clearly indicate that the problem occurs in the z_erofs_shifted_transform function when attempting to copy 4074 bytes to address ffffd8880300c2f8e, demonstrating a classic buffer overflow pattern where the destination buffer is insufficient for the data being copied.
The technical root cause of this vulnerability lies in the improper management of filesystem block boundaries when processing tail pclusters with the ztailpacking feature enabled. In normal operation, filesystem blocks are expected to be complete and properly aligned, but when ztailpacking is used, the tail portion of a pcluster may not constitute a complete filesystem block. This creates a scenario where the second part of an uncompressed tail pcluster extends beyond the expected buffer boundaries defined by rq->pageofs_out, leading to memory corruption. The issue specifically affects the z_erofs_shifted_transform function which handles the transformation of compressed data, where the memcpy operation attempts to copy data without proper bounds checking against the actual buffer capacity. This flaw directly maps to CWE-121, which describes heap-based buffer overflow conditions, and represents a memory safety vulnerability that can be exploited to gain unauthorized access or cause denial of service.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation and data corruption within affected systems. When exploited, the buffer overflow can lead to kernel memory corruption, causing system crashes or allowing malicious actors to execute arbitrary code with kernel privileges. The vulnerability affects systems running Linux kernels with erofs filesystem support, particularly those utilizing the ztailpacking compression optimization feature. Attackers could leverage this flaw by crafting malicious filesystem images that trigger the problematic code path during decompression operations, potentially leading to complete system compromise. The vulnerability's exploitation requires specific conditions related to filesystem configuration and data access patterns, making it somewhat more difficult to exploit than simpler buffer overflow conditions, but still represents a significant security risk for systems that rely on erofs filesystem functionality.
Mitigation strategies for CVE-2022-49464 should focus on applying the official kernel patches released by the Linux kernel security team, which address the buffer overflow by implementing proper bounds checking and memory management for the ztailpacking feature. System administrators should prioritize updating their kernel versions to include the fix, particularly in environments where erofs filesystems are actively used. Additionally, monitoring for KASAN reports and implementing proper filesystem access controls can help detect potential exploitation attempts. The fix typically involves modifying the z_erofs_shifted_transform function to properly validate buffer boundaries before performing memory copy operations, ensuring that the destination buffer can accommodate the data being copied regardless of the ztailpacking optimization state. Organizations should also consider disabling ztailpacking feature where it's not strictly required, as a temporary mitigation measure while applying the permanent kernel updates. This vulnerability aligns with ATT&CK technique T1068, which covers 'Exploitation for Privilege Escalation', as successful exploitation could lead to elevated privileges within the affected system.