CVE-2022-50753
Unknown Unknown - Not Provided
Use-After-Free in Linux Kernel f2fs Causes Mount Crash

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on summary info As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216456 BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs] Read of size 4 at addr ffff8881464dcd80 by task mount/1013 CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x5e print_report.cold+0xf3/0x68d kasan_report+0xa8/0x130 recover_data+0x63ae/0x6ae0 [f2fs] f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs] f2fs_fill_super+0x4665/0x61e0 [f2fs] mount_bdev+0x2cf/0x3b0 legacy_get_tree+0xed/0x1d0 vfs_get_tree+0x81/0x2b0 path_mount+0x47e/0x19d0 do_mount+0xce/0xf0 __x64_sys_mount+0x12c/0x1a0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size page. - recover_data - do_recover_data - check_index_in_prev_nodes - f2fs_data_blkaddr This patch adds sanity check on summary info in recovery and GC flow in where the flows rely on them. After patch: [ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50753
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free bug in the Linux kernel's f2fs filesystem, specifically in the recover_data function. It occurs because the SSA table's summary info can be corrupted, leading to an out-of-range access when an offset in a node is larger than the allowed maximum. This causes the kernel to read invalid memory, potentially leading to crashes or other unexpected behavior. The patch adds sanity checks on the summary info during recovery and garbage collection to prevent this out-of-range access.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to perform out-of-range memory reads, leading to use-after-free errors. This may result in system crashes, instability, or potential exploitation by attackers to execute arbitrary code or cause denial of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring kernel logs for messages indicating inconsistent summary info in the f2fs filesystem, such as the log message: 'F2FS-fs (loop0): Inconsistent ofs_in_node:... in summary'. You can check kernel logs using commands like 'dmesg | grep F2FS-fs' or 'journalctl -k | grep F2FS-fs' to identify such sanity check failures.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves applying the patch that adds sanity checks on summary info in the f2fs recovery and garbage collection flows. Until the patch is applied, avoid mounting or using potentially corrupted f2fs images that could trigger the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart