CVE-2022-50815

The Linux kernel's ext2 filesystem driver lacked sanity checks for the relationship between the filesystem size, the underlying device size, and the group descriptor size. When mounting a specially crafted ext2 image where the filesystem size exceeds the device size or where the group size is too small to fit its metadata, the kernel could encounter undefined behavior or attempt to allocate an extremely large number of group descriptors, leading to memory corruption or denial of service. The patch adds checks to ensure the filesystem size does not exceed the device's capacity and that each group has sufficient room for its metadata [1].

Exploitation

An attacker can exploit this by presenting a crafted ext2 filesystem image to a system that attempts to mount it, potentially through a physical device, loopback mount of a file, or via network filesystem if the image is provided remotely. The attack does not require authentication if the user or a privileged process can be tricked into mounting the malicious image. The vulnerability is triggered during the mount operation itself [1].

Impact

Successful exploitation could allow an attacker to cause a denial of service by crashing the system or potentially executing arbitrary code, though the patch notes primarily address preventing memory corruption and resource exhaustion due to extreme group counts. The fix mitigates the risk by rejecting invalid mount requests before any harmful memory allocation occurs [1].

Mitigation

The fix has been applied upstream in the Linux kernel and was included in stable releases. Users should update their kernels to incorporate the commit 40ff52527daec00cf1530c17a95636916ddd3b38. No workarounds are available other than avoiding mounting untrusted ext2 filesystem images on unpatched kernels [1].