CVE-2022-49007: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() Syzbot reported a null-ptr-deref bug: NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline] nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236 nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline] nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline] nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568 nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline] nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline] nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> ... If DAT metadata file is corrupted on disk, there is a case where req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfs_dat_commit_alloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(). If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free() without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and causes the NULL pointer dereference above in nilfs_palloc_commit_free_entry() function, which leads to a crash. Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free(). This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations.
AI Analysis
Technical Summary
CVE-2022-49007 is a vulnerability in the Linux kernel affecting the NILFS2 (New Implementation of a Log-structured File System) component. The issue arises from a NULL pointer dereference in the function nilfs_palloc_commit_free_entry(), which is triggered during certain b-tree operations on the NILFS2 filesystem metadata. Specifically, if the DAT (Disk Address Translation) metadata file is corrupted, the req->pr_desc_bh pointer can be NULL while the block number is zero during nilfs_dat_commit_end(). This leads to nilfs_dat_commit_free() being called with invalid buffer heads, causing a NULL pointer dereference and kernel crash (general protection fault). The root cause is that nilfs_dat_commit_alloc() can initialize the block number on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(), creating a race condition or inconsistent state when metadata is corrupted. The fix involves adding NULL checks on req->pr_desc_bh and req->pr_bitmap_bh before calling nilfs_palloc_commit_free_entry(), and invoking nilfs_error() to log the fatal filesystem metadata flaw and prevent further operations. This vulnerability was discovered by Syzbot and affects Linux kernel versions including the 6.1.0-rc2 release candidate. It does not require user interaction but depends on the presence of corrupted NILFS2 metadata, which may occur due to disk errors or malicious tampering. Exploitation leads to a denial of service via kernel crash, impacting system availability. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2022-49007 is a potential denial of service (DoS) condition on systems using the NILFS2 filesystem. While NILFS2 is not as widely deployed as ext4 or XFS, it is used in some specialized environments requiring log-structured filesystems, such as certain embedded systems or high-throughput storage scenarios. A kernel crash caused by this vulnerability could disrupt critical services, especially in data centers or cloud environments running Linux kernels vulnerable to this issue. The crash could lead to system reboots, data unavailability, or potential data corruption if the filesystem metadata is already compromised. Since the vulnerability is triggered by corrupted metadata, it may also indicate underlying hardware or storage issues, compounding operational risks. European organizations relying on Linux-based infrastructure with NILFS2 should be aware that this vulnerability could affect system stability and availability, potentially impacting sectors like telecommunications, finance, or public services where uptime is critical. However, the impact is limited by the relatively niche use of NILFS2 and the requirement of corrupted metadata to trigger the fault.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address CVE-2022-49007 as soon as they become available. Monitor kernel updates from trusted Linux distributions and vendors. 2. Filesystem integrity checks: Regularly run filesystem consistency checks (fsck) on NILFS2 volumes to detect and repair metadata corruption proactively, reducing the chance of triggering this vulnerability. 3. Hardware health monitoring: Implement robust disk health monitoring and predictive failure analysis to prevent metadata corruption caused by hardware faults. 4. Backup and recovery: Maintain up-to-date backups of critical data on NILFS2 filesystems to enable recovery in case of corruption or crashes. 5. Limit NILFS2 usage: Where possible, evaluate the necessity of using NILFS2 and consider migrating to more widely supported and tested filesystems like ext4 or XFS, which do not have this vulnerability. 6. Kernel hardening: Employ kernel hardening techniques and security modules that can mitigate the impact of kernel crashes or isolate faulty components. 7. Logging and alerting: Enhance monitoring to detect kernel crashes and filesystem errors promptly, enabling rapid incident response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Estonia
CVE-2022-49007: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() Syzbot reported a null-ptr-deref bug: NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline] nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236 nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline] nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline] nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568 nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline] nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline] nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> ... If DAT metadata file is corrupted on disk, there is a case where req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfs_dat_commit_alloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(). If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free() without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and causes the NULL pointer dereference above in nilfs_palloc_commit_free_entry() function, which leads to a crash. Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free(). This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations.
AI-Powered Analysis
Technical Analysis
CVE-2022-49007 is a vulnerability in the Linux kernel affecting the NILFS2 (New Implementation of a Log-structured File System) component. The issue arises from a NULL pointer dereference in the function nilfs_palloc_commit_free_entry(), which is triggered during certain b-tree operations on the NILFS2 filesystem metadata. Specifically, if the DAT (Disk Address Translation) metadata file is corrupted, the req->pr_desc_bh pointer can be NULL while the block number is zero during nilfs_dat_commit_end(). This leads to nilfs_dat_commit_free() being called with invalid buffer heads, causing a NULL pointer dereference and kernel crash (general protection fault). The root cause is that nilfs_dat_commit_alloc() can initialize the block number on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(), creating a race condition or inconsistent state when metadata is corrupted. The fix involves adding NULL checks on req->pr_desc_bh and req->pr_bitmap_bh before calling nilfs_palloc_commit_free_entry(), and invoking nilfs_error() to log the fatal filesystem metadata flaw and prevent further operations. This vulnerability was discovered by Syzbot and affects Linux kernel versions including the 6.1.0-rc2 release candidate. It does not require user interaction but depends on the presence of corrupted NILFS2 metadata, which may occur due to disk errors or malicious tampering. Exploitation leads to a denial of service via kernel crash, impacting system availability. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2022-49007 is a potential denial of service (DoS) condition on systems using the NILFS2 filesystem. While NILFS2 is not as widely deployed as ext4 or XFS, it is used in some specialized environments requiring log-structured filesystems, such as certain embedded systems or high-throughput storage scenarios. A kernel crash caused by this vulnerability could disrupt critical services, especially in data centers or cloud environments running Linux kernels vulnerable to this issue. The crash could lead to system reboots, data unavailability, or potential data corruption if the filesystem metadata is already compromised. Since the vulnerability is triggered by corrupted metadata, it may also indicate underlying hardware or storage issues, compounding operational risks. European organizations relying on Linux-based infrastructure with NILFS2 should be aware that this vulnerability could affect system stability and availability, potentially impacting sectors like telecommunications, finance, or public services where uptime is critical. However, the impact is limited by the relatively niche use of NILFS2 and the requirement of corrupted metadata to trigger the fault.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address CVE-2022-49007 as soon as they become available. Monitor kernel updates from trusted Linux distributions and vendors. 2. Filesystem integrity checks: Regularly run filesystem consistency checks (fsck) on NILFS2 volumes to detect and repair metadata corruption proactively, reducing the chance of triggering this vulnerability. 3. Hardware health monitoring: Implement robust disk health monitoring and predictive failure analysis to prevent metadata corruption caused by hardware faults. 4. Backup and recovery: Maintain up-to-date backups of critical data on NILFS2 filesystems to enable recovery in case of corruption or crashes. 5. Limit NILFS2 usage: Where possible, evaluate the necessity of using NILFS2 and consider migrating to more widely supported and tested filesystems like ext4 or XFS, which do not have this vulnerability. 6. Kernel hardening: Employ kernel hardening techniques and security modules that can mitigate the impact of kernel crashes or isolate faulty components. 7. Logging and alerting: Enhance monitoring to detect kernel crashes and filesystem errors promptly, enabling rapid incident response.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.643Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe68c1
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:10:06 AM
Last updated: 7/31/2025, 11:17:13 PM
Views: 13
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.