CVE-2022-50782 (GCVE-0-2022-50782)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
Title
ext4: fix bug_on in __es_tree_search caused by bad quota inode
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad quota inode We got a issue as fllows: ================================================================== kernel BUG at fs/ext4/extents_status.c:202! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352 RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0 RSP: 0018:ffffc90001227900 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8 RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001 R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10 R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000 FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4_es_cache_extent+0xe2/0x210 ext4_cache_extents+0xd2/0x110 ext4_find_extent+0x5d5/0x8c0 ext4_ext_map_blocks+0x9c/0x1d30 ext4_map_blocks+0x431/0xa50 ext4_getblk+0x82/0x340 ext4_bread+0x14/0x110 ext4_quota_read+0xf0/0x180 v2_read_header+0x24/0x90 v2_check_quota_file+0x2f/0xa0 dquot_load_quota_sb+0x26c/0x760 dquot_load_quota_inode+0xa5/0x190 ext4_enable_quotas+0x14c/0x300 __ext4_fill_super+0x31cc/0x32c0 ext4_fill_super+0x115/0x2d0 get_tree_bdev+0x1d2/0x360 ext4_get_tree+0x19/0x30 vfs_get_tree+0x26/0xe0 path_mount+0x81d/0xfc0 do_mount+0x8d/0xc0 __x64_sys_mount+0xc0/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> ================================================================== Above issue may happen as follows: ------------------------------------- ext4_fill_super ext4_orphan_cleanup ext4_enable_quotas ext4_quota_enable ext4_iget --> get error inode <5> ext4_ext_check_inode --> Wrong imode makes it escape inspection make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode dquot_load_quota_inode vfs_setup_quota_inode --> check pass dquot_load_quota_sb v2_check_quota_file v2_read_header ext4_quota_read ext4_bread ext4_getblk ext4_map_blocks ext4_ext_map_blocks ext4_find_extent ext4_cache_extents ext4_es_cache_extent __es_tree_search.isra.0 ext4_es_end --> Wrong extents trigger BUG_ON In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO, the ext4_ext_check_inode check in the ext4_iget function can be bypassed, finally, the extents that are not checked trigger the BUG_ON in the __es_tree_search function. To solve this issue, check whether the inode is bad_inode in vfs_setup_quota_inode().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1d5524832ff204b8a8cd54ae1628b2122f6e9a8d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 98004f926d27eaccdd2d336b7916a42e07392da1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0dcbf4dc3d54aab5990952cfd832042fb300dbe3 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 794c9175db1f2e5d2a28c326f10bd024dbd944f8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1daff79463d7d76096c84c57cddc30c5d4be2226 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d323877484765aaacbb2769b06e355c2041ed115 (git)
Create a notification for this product.
    Linux Linux Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.18 , ≤ 6.0.* (semver)
Unaffected: 6.1.4 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/quota/dquot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1d5524832ff204b8a8cd54ae1628b2122f6e9a8d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "98004f926d27eaccdd2d336b7916a42e07392da1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0dcbf4dc3d54aab5990952cfd832042fb300dbe3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "794c9175db1f2e5d2a28c326f10bd024dbd944f8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1daff79463d7d76096c84c57cddc30c5d4be2226",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d323877484765aaacbb2769b06e355c2041ed115",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/quota/dquot.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad quota inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:202!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352\n RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0\n RSP: 0018:ffffc90001227900 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8\n RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001\n R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10\n R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000\n FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  \u003cTASK\u003e\n  ext4_es_cache_extent+0xe2/0x210\n  ext4_cache_extents+0xd2/0x110\n  ext4_find_extent+0x5d5/0x8c0\n  ext4_ext_map_blocks+0x9c/0x1d30\n  ext4_map_blocks+0x431/0xa50\n  ext4_getblk+0x82/0x340\n  ext4_bread+0x14/0x110\n  ext4_quota_read+0xf0/0x180\n  v2_read_header+0x24/0x90\n  v2_check_quota_file+0x2f/0xa0\n  dquot_load_quota_sb+0x26c/0x760\n  dquot_load_quota_inode+0xa5/0x190\n  ext4_enable_quotas+0x14c/0x300\n  __ext4_fill_super+0x31cc/0x32c0\n  ext4_fill_super+0x115/0x2d0\n  get_tree_bdev+0x1d2/0x360\n  ext4_get_tree+0x19/0x30\n  vfs_get_tree+0x26/0xe0\n  path_mount+0x81d/0xfc0\n  do_mount+0x8d/0xc0\n  __x64_sys_mount+0xc0/0x160\n  do_syscall_64+0x35/0x80\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  \u003c/TASK\u003e\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n  ext4_enable_quotas\n   ext4_quota_enable\n    ext4_iget --\u003e get error inode \u003c5\u003e\n     ext4_ext_check_inode --\u003e Wrong imode makes it escape inspection\n     make_bad_inode(inode) --\u003e EXT4_BOOT_LOADER_INO set imode\n    dquot_load_quota_inode\n     vfs_setup_quota_inode --\u003e check pass\n     dquot_load_quota_sb\n      v2_check_quota_file\n       v2_read_header\n        ext4_quota_read\n         ext4_bread\n          ext4_getblk\n           ext4_map_blocks\n            ext4_ext_map_blocks\n             ext4_find_extent\n              ext4_cache_extents\n               ext4_es_cache_extent\n                __es_tree_search.isra.0\n                 ext4_es_end --\u003e Wrong extents trigger BUG_ON\n\nIn the above issue, s_usr_quota_inum is set to 5, but inode\u003c5\u003e contains\nincorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,\nthe ext4_ext_check_inode check in the ext4_iget function can be bypassed,\nfinally, the extents that are not checked trigger the BUG_ON in the\n__es_tree_search function. To solve this issue, check whether the inode is\nbad_inode in vfs_setup_quota_inode()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:06:09.914Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3"
        },
        {
          "url": "https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226"
        },
        {
          "url": "https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115"
        }
      ],
      "title": "ext4: fix bug_on in __es_tree_search caused by bad quota inode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50782",
    "datePublished": "2025-12-24T13:06:09.914Z",
    "dateReserved": "2025-12-24T13:02:21.548Z",
    "dateUpdated": "2025-12-24T13:06:09.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50782\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:05.047\",\"lastModified\":\"2025-12-24T13:16:05.047\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix bug_on in __es_tree_search caused by bad quota inode\\n\\nWe got a issue as fllows:\\n==================================================================\\n kernel BUG at fs/ext4/extents_status.c:202!\\n invalid opcode: 0000 [#1] PREEMPT SMP\\n CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352\\n RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0\\n RSP: 0018:ffffc90001227900 EFLAGS: 00010202\\n RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000\\n RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8\\n RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001\\n R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10\\n R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000\\n FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n  \u003cTASK\u003e\\n  ext4_es_cache_extent+0xe2/0x210\\n  ext4_cache_extents+0xd2/0x110\\n  ext4_find_extent+0x5d5/0x8c0\\n  ext4_ext_map_blocks+0x9c/0x1d30\\n  ext4_map_blocks+0x431/0xa50\\n  ext4_getblk+0x82/0x340\\n  ext4_bread+0x14/0x110\\n  ext4_quota_read+0xf0/0x180\\n  v2_read_header+0x24/0x90\\n  v2_check_quota_file+0x2f/0xa0\\n  dquot_load_quota_sb+0x26c/0x760\\n  dquot_load_quota_inode+0xa5/0x190\\n  ext4_enable_quotas+0x14c/0x300\\n  __ext4_fill_super+0x31cc/0x32c0\\n  ext4_fill_super+0x115/0x2d0\\n  get_tree_bdev+0x1d2/0x360\\n  ext4_get_tree+0x19/0x30\\n  vfs_get_tree+0x26/0xe0\\n  path_mount+0x81d/0xfc0\\n  do_mount+0x8d/0xc0\\n  __x64_sys_mount+0xc0/0x160\\n  do_syscall_64+0x35/0x80\\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n  \u003c/TASK\u003e\\n==================================================================\\n\\nAbove issue may happen as follows:\\n-------------------------------------\\next4_fill_super\\n ext4_orphan_cleanup\\n  ext4_enable_quotas\\n   ext4_quota_enable\\n    ext4_iget --\u003e get error inode \u003c5\u003e\\n     ext4_ext_check_inode --\u003e Wrong imode makes it escape inspection\\n     make_bad_inode(inode) --\u003e EXT4_BOOT_LOADER_INO set imode\\n    dquot_load_quota_inode\\n     vfs_setup_quota_inode --\u003e check pass\\n     dquot_load_quota_sb\\n      v2_check_quota_file\\n       v2_read_header\\n        ext4_quota_read\\n         ext4_bread\\n          ext4_getblk\\n           ext4_map_blocks\\n            ext4_ext_map_blocks\\n             ext4_find_extent\\n              ext4_cache_extents\\n               ext4_es_cache_extent\\n                __es_tree_search.isra.0\\n                 ext4_es_end --\u003e Wrong extents trigger BUG_ON\\n\\nIn the above issue, s_usr_quota_inum is set to 5, but inode\u003c5\u003e contains\\nincorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,\\nthe ext4_ext_check_inode check in the ext4_iget function can be bypassed,\\nfinally, the extents that are not checked trigger the BUG_ON in the\\n__es_tree_search function. To solve this issue, check whether the inode is\\nbad_inode in vfs_setup_quota_inode().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.