CVE-2022-50845

Vulnerability

Description

In the Linux kernel's ext4 filesystem, the function ext4_xattr_inode_create() is responsible for creating an inode to store extended attributes (xattrs). An error path in this function fails to properly decrement the inode's link count (i_nlink) when ext4_mark_inode_dirty() returns a failure. This oversight leads to an inode leak, where the newly allocated inode remains referenced but is not attached to any directory, resulting in an "unattached zero-length inode" as reported by fsck.ext4 [1].

Exploitation

An attacker with the ability to trigger extended attribute operations (e.g., via setxattr syscall) on an ext4 filesystem could intentionally cause the error condition by injecting faults or exhausting resources, causing ext4_mark_inode_dirty() to fail. No special privileges beyond the ability to set extended attributes on-disk extended attributes are required; the attack surface is local, requiring access to the filesystem. The vulnerability manifests during the creation of an xattr inode, and the resulting inode leak persists across reboots until the filesystem is checked and repaired [1].

Impact

Each successful exploitation leaks one inode from the filesystem's inode table. Over time, repeated exploitation could exhaust the available inode pool, potentially leading to denial of service (DoS) conditions where new files or directories cannot be created. The leaked inode is zero-length and unattached, consuming an inode number without providing any storage. The filesystem will report errors during consistency checks (e.g., fsck) and may require manual intervention to clear the orphaned inode [1].

Mitigation

The fix has been applied to the Linux kernel stable tree. The commit 9ef603086c5b (and backports) ensures that when ext4_mark_inode_dirty() fails, the inode's link count is decremented via iput() or similar cleanup, preventing the leak [1]. Users should apply the latest stable kernel updates that include this patch. No workaround exists other than avoiding the error path entirely; the only mitigation is to patch the kernel.