FKIE_CVE-2022-50277

Vulnerability from fkie_nvd - Published: 2025-09-15 15:15 - Updated: 2025-12-03 18:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: don't allow journal inode to have encrypt flag Mounting a filesystem whose journal inode has the encrypt flag causes a NULL dereference in fscrypt_limit_io_blocks() when the 'inlinecrypt' mount option is used. The problem is that when jbd2_journal_init_inode() calls bmap(), it eventually finds its way into ext4_iomap_begin(), which calls fscrypt_limit_io_blocks(). fscrypt_limit_io_blocks() requires that if the inode is encrypted, then its encryption key must already be set up. That's not the case here, since the journal inode is never "opened" like a normal file would be. Hence the crash. A reproducer is: mkfs.ext4 -F /dev/vdb debugfs -w /dev/vdb -R "set_inode_field <8> flags 0x80808" mount /dev/vdb /mnt -o inlinecrypt To fix this, make ext4 consider journal inodes with the encrypt flag to be invalid. (Note, maybe other flags should be rejected on the journal inode too. For now, this is just the minimal fix for the above issue.) I've marked this as fixing the commit that introduced the call to fscrypt_limit_io_blocks(), since that's what made an actual crash start being possible. But this fix could be applied to any version of ext4 that supports the encrypt feature.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/105c78e12468413e426625831faa7db4284e1fecPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1f7a6626f611aa06d7907aa45b484708dd5ac8bcPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bcc5057e1781a3ee889225480d995c3b5cbde555Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "99134089-608D-4C95-93DF-CC4127BE3674",
              "versionEndExcluding": "6.0.18",
              "versionStartIncluding": "5.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC4189D9-5478-4E88-A78D-9C1DE29B217C",
              "versionEndExcluding": "6.1.4",
              "versionStartIncluding": "6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don\u0027t allow journal inode to have encrypt flag\n\nMounting a filesystem whose journal inode has the encrypt flag causes a\nNULL dereference in fscrypt_limit_io_blocks() when the \u0027inlinecrypt\u0027\nmount option is used.\n\nThe problem is that when jbd2_journal_init_inode() calls bmap(), it\neventually finds its way into ext4_iomap_begin(), which calls\nfscrypt_limit_io_blocks().  fscrypt_limit_io_blocks() requires that if\nthe inode is encrypted, then its encryption key must already be set up.\nThat\u0027s not the case here, since the journal inode is never \"opened\" like\na normal file would be.  Hence the crash.\n\nA reproducer is:\n\n    mkfs.ext4 -F /dev/vdb\n    debugfs -w /dev/vdb -R \"set_inode_field \u003c8\u003e flags 0x80808\"\n    mount /dev/vdb /mnt -o inlinecrypt\n\nTo fix this, make ext4 consider journal inodes with the encrypt flag to\nbe invalid.  (Note, maybe other flags should be rejected on the journal\ninode too.  For now, this is just the minimal fix for the above issue.)\n\nI\u0027ve marked this as fixing the commit that introduced the call to\nfscrypt_limit_io_blocks(), since that\u0027s what made an actual crash start\nbeing possible.  But this fix could be applied to any version of ext4\nthat supports the encrypt feature."
    }
  ],
  "id": "CVE-2022-50277",
  "lastModified": "2025-12-03T18:31:12.860",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-09-15T15:15:38.700",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/105c78e12468413e426625831faa7db4284e1fec"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1f7a6626f611aa06d7907aa45b484708dd5ac8bc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bcc5057e1781a3ee889225480d995c3b5cbde555"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.