CVE-2022-50753

Vulnerability

Overview

CVE-2022-50753 is a use-after-free vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation. The root cause is the lack of a sanity check on the summary info structure read from the SSA (Segment Summary Area) table. When a specially crafted or fuzzed filesystem image is mounted, the ofs_in_node field in the summary can be larger than ADDRS_PER_PAGE(), leading to an out-of-bounds access on a 4k-sized page during recovery operations [1][2].

Exploitation

Conditions

The vulnerability is triggered during the filesystem mount process, specifically in the recover_data function and the garbage collection (GC) flow. An attacker must be able to mount a maliciously crafted f2fs image, which requires local access to the system (e.g., via a USB drive or a network filesystem). No authentication is needed beyond the ability to mount a filesystem. The attack surface is limited to systems that mount untrusted f2fs images, such as those using removable media or receiving images from untrusted sources.

Impact

A successful exploit results in a kernel crash due to a use-after-free condition, leading to a denial of service (DoS). The crash is demonstrated by a KASAN report showing a read of size 4 at a freed address during recover_data. The vulnerability does not appear to allow privilege escalation or arbitrary code execution based on the available information.

Mitigation

The fix adds a sanity check on the summary info in both the recovery and GC code paths, ensuring that ofs_in_node does not exceed the allowed maximum. The patch has been applied to the stable kernel tree [1][2]. Users should update their kernels to include the fix. No workaround is available other than avoiding the mounting of untrusted f2fs images on unpatched systems.