{"id":"CVE-2022-49349","summary":"ext4: fix use-after-free in ext4_rename_dir_prepare","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_rename_dir_prepare\n\nWe got issue as follows:\nEXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue\next4_get_first_dir_block: bh-\u003eb_data=0xffff88810bee6000 len=34478\next4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh-\u003eb_data=0xffff88810bee6000\next4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae\n==================================================================\nBUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220\nRead of size 4 at addr ffff88810beee6ae by task rep/1895\n\nCPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241\nCall Trace:\n dump_stack+0xbe/0xf9\n print_address_description.constprop.0+0x1e/0x220\n kasan_report.cold+0x37/0x7f\n ext4_rename_dir_prepare+0x152/0x220\n ext4_rename+0xf44/0x1ad0\n ext4_rename2+0x11c/0x170\n vfs_rename+0xa84/0x1440\n do_renameat2+0x683/0x8f0\n __x64_sys_renameat+0x53/0x60\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\nRIP: 0033:0x7f45a6fc41c9\nRSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9\nRDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005\nRBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080\nR10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0\nR13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000\n\nThe buggy address belongs to the page:\npage:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee\nflags: 0x200000000000000()\nraw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000\nraw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\u003effff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n                                  ^\n ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n==================================================================\nDisabling lock debugging due to kernel taint\next4_rename_dir_prepare: [2] parent_de-\u003einode=3537895424\next4_rename_dir_prepare: [3] dir=0xffff888124170140\next4_rename_dir_prepare: [4] ino=2\next4_rename_dir_prepare: ent-\u003edir-\u003ei_ino=2 parent=-757071872\n\nReason is first directory entry which 'rec_len' is 34478, then will get illegal\nparent entry. Now, we do not check directory entry after read directory block\nin 'ext4_get_first_dir_block'.\nTo solve this issue, check directory entry in 'ext4_get_first_dir_block'.\n\n[ Trigger an ext4_error() instead of just warning if the directory is\n  missing a '.' or '..' entry.   Also make sure we return an error code\n  if the file system is corrupted.  -TYT ]","modified":"2026-04-02T08:27:31.107025Z","published":"2025-02-26T02:11:02.993Z","related":["SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1194-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1263-1","SUSE-SU-2025:1293-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49349.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0be698ecbe4471fcad80e81ec6a05001421041b3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0ff38b99fa075ddd246487a28cb9af049f4ceef1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/10801095224de0d0ab06ae60698680c1f883a3ae"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1a3a15bf6f9963d755270cbdb282863b84839195"},{"type":"WEB","url":"https://git.kernel.org/stable/c/364380c00912bed9b5d99eb485018360b0ecf64f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4a2bea60cf7ff957b3eda0b17750d483876a02fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/97f802a652a749422dede32071d29a53cf4bd034"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd887f83ea54aea5b780a84527e23ab95f777fed"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eaecf7ebfd5dd09038a80b14be46b844f54cfc5c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49349.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49349"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"32f7f22c0b52e8189fef83986b16dc7abe95f2c4"},{"fixed":"1a3a15bf6f9963d755270cbdb282863b84839195"},{"fixed":"97f802a652a749422dede32071d29a53cf4bd034"},{"fixed":"10801095224de0d0ab06ae60698680c1f883a3ae"},{"fixed":"eaecf7ebfd5dd09038a80b14be46b844f54cfc5c"},{"fixed":"dd887f83ea54aea5b780a84527e23ab95f777fed"},{"fixed":"364380c00912bed9b5d99eb485018360b0ecf64f"},{"fixed":"0ff38b99fa075ddd246487a28cb9af049f4ceef1"},{"fixed":"4a2bea60cf7ff957b3eda0b17750d483876a02fa"},{"fixed":"0be698ecbe4471fcad80e81ec6a05001421041b3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49349.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}