CVE-2022-49846 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

udf: Fix a slab-out-of-bounds write bug in udf_find_entry()

Syzbot reported a slab-out-of-bounds Write bug:

loop0: detected capacity change from 0 to 2048 ================================================================== BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610

CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 memcpy+0x3c/0x60 mm/kasan/shadow.c:66 udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 udf_lookup+0xef/0x340 fs/udf/namei.c:309 lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline]
__do_sys_creat fs/open.c:1402 [inline]
__se_sys_creat fs/open.c:1396 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1396 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ffab0d164d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9 RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180 RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000 R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3610: kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:576 [inline]
udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243 udf_lookup+0xef/0x340 fs/udf/namei.c:309 lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline]
__do_sys_creat fs/open.c:1402 [inline]
__se_sys_creat fs/open.c:1396 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1396 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880123ff800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 150 bytes inside of 256-byte region [ffff8880123ff800, ffff8880123ff900)

The buggy address belongs to the physical page: page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123fe head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0 create_dummy_stack mm/page_owner.c: ---truncated---

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/15/2025

The vulnerability identified as CVE-2022-49846 represents a critical slab-out-of-bounds write flaw within the Linux kernel's Universal Disk Format (UDF) filesystem implementation. This issue specifically occurs in the udf_find_entry() function located in fs/udf/namei.c at line 253, where a write operation attempts to access memory beyond the allocated bounds of a slab object. The flaw was detected by Syzbot, an automated fuzzer, which reported a KASAN (Kernel Address Sanitizer) violation indicating a slab-out-of-bounds write of size 105 bytes. The memory access occurs at address ffff8880123ff896, which is 150 bytes beyond the beginning of a 256-byte kmalloc-256 slab object, demonstrating a classic buffer overflow condition that could potentially lead to arbitrary code execution or system instability.

This vulnerability stems from improper bounds checking within the UDF filesystem's name resolution mechanism, where the udf_find_entry() function fails to validate the length of data being copied or written to memory structures. The function's behavior during filesystem lookup operations, particularly when processing directory entries, creates an opportunity for attackers to manipulate filesystem data in a way that triggers the out-of-bounds write. The issue manifests during normal file operations such as opening files or directories, as evidenced by the call stack showing the execution path through udf_lookup, lookup_open, and path_openat functions. The vulnerability is classified under CWE-121 as a stack-based buffer overflow, though in this case it manifests as a heap-based issue within the slab allocator, making it particularly dangerous due to its potential for memory corruption in kernel space.

The operational impact of this vulnerability extends beyond simple data corruption, as it can enable attackers to achieve privilege escalation or system compromise through carefully crafted filesystem operations. An attacker with local access to a system could potentially exploit this vulnerability by mounting a malicious UDF filesystem or triggering specific filesystem operations that cause the vulnerable code path to execute. The nature of the bug allows for potential information disclosure, denial of service, or even remote code execution depending on the specific conditions under which the out-of-bounds write occurs. Given that UDF is a widely supported filesystem format used in various applications including optical media and digital storage, this vulnerability affects a broad range of systems. The vulnerability aligns with ATT&CK technique T1068 which involves exploiting vulnerabilities in legitimate programs to gain system access, and specifically targets the kernel-level execution environment where such attacks can have maximum impact.

Mitigation strategies for this vulnerability include applying the official kernel patch that corrects the bounds checking in udf_find_entry() by ensuring proper validation of buffer sizes before memory operations are performed. System administrators should prioritize updating to kernel versions that include the fix, particularly those containing the commit that resolves this issue. Additionally, monitoring for unusual filesystem access patterns and implementing proper access controls can help detect potential exploitation attempts. The fix typically involves adding appropriate bounds checks to prevent the write operation from exceeding allocated memory boundaries, ensuring that all memory accesses within the UDF filesystem code are properly validated against the actual size of allocated buffers. Organizations should also consider implementing kernel lockdown mechanisms and restricting filesystem mounting capabilities where possible to limit potential attack surfaces.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00196

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!