CVE-2022-49075: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix qgroup reserve overflow the qgroup limit We use extent_changeset->bytes_changed in qgroup_reserve_data() to record how many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the bytes_changed is set as "unsigned int", and it will overflow if we try to fallocate a range larger than 4GiB. The result is we reserve less bytes and eventually break the qgroup limit. Unlike regular buffered/direct write, which we use one changeset for each ordered extent, which can never be larger than 256M. For fallocate, we use one changeset for the whole range, thus it no longer respects the 256M per extent limit, and caused the problem. The following example test script reproduces the problem: $ cat qgroup-overflow.sh #!/bin/bash DEV=/dev/sdj MNT=/mnt/sdj mkfs.btrfs -f $DEV mount $DEV $MNT # Set qgroup limit to 2GiB. btrfs quota enable $MNT btrfs qgroup limit 2G $MNT # Try to fallocate a 3GiB file. This should fail. echo echo "Try to fallocate a 3GiB file..." fallocate -l 3G $MNT/3G.file # Try to fallocate a 5GiB file. echo echo "Try to fallocate a 5GiB file..." fallocate -l 5G $MNT/5G.file # See we break the qgroup limit. echo sync btrfs qgroup show -r $MNT umount $MNT When running the test: $ ./qgroup-overflow.sh (...) Try to fallocate a 3GiB file... fallocate: fallocate failed: Disk quota exceeded Try to fallocate a 5GiB file... qgroupid rfer excl max_rfer -------- ---- ---- -------- 0/5 5.00GiB 5.00GiB 2.00GiB Since we have no control of how bytes_changed is used, it's better to set it to u64.
AI Analysis
Technical Summary
CVE-2022-49075 is a vulnerability identified in the Linux kernel's Btrfs filesystem quota group (qgroup) management. The issue arises from an integer overflow in the qgroup reservation logic when handling large fallocate operations. Specifically, the variable extent_changeset->bytes_changed, which tracks the number of bytes reserved for the EXTENT_QGROUP_RESERVED state, is defined as an unsigned int (32-bit). This causes an overflow when attempting to fallocate a file larger than 4 GiB, resulting in an incorrect reservation of bytes and effectively breaking the qgroup limit enforcement. Unlike regular buffered or direct writes, which use multiple changesets capped at 256 MiB each, fallocate uses a single changeset for the entire range, bypassing this limit and triggering the overflow. The vulnerability allows a user to bypass quota restrictions by allocating files larger than the set qgroup limit, potentially leading to uncontrolled disk space usage within a quota-controlled environment. The provided test script demonstrates this by setting a 2 GiB quota limit and successfully fallocating files of 3 GiB and 5 GiB, which should have been blocked. The root cause is the 32-bit limitation of bytes_changed, and the recommended fix is to change this variable to a 64-bit unsigned integer (u64) to properly handle large allocations without overflow. This vulnerability affects Linux kernel versions identified by the given commit hash and is currently published without known exploits in the wild or an assigned CVSS score.
Potential Impact
For European organizations, especially those relying on Linux servers with Btrfs filesystems and quota management enabled, this vulnerability could lead to quota enforcement bypass. This means that users or processes could allocate more disk space than allowed, potentially exhausting storage resources unexpectedly. This can disrupt services, cause denial of service due to lack of disk space, and complicate resource management. Organizations with multi-tenant environments, shared hosting, or cloud infrastructure using Btrfs quotas are particularly at risk. The integrity of quota enforcement is critical for operational stability and cost control. While this vulnerability does not directly lead to remote code execution or privilege escalation, the ability to bypass quotas can be leveraged in combination with other vulnerabilities or misconfigurations to impact availability and operational security. Additionally, uncontrolled disk usage can lead to data loss or corruption if the filesystem becomes unstable due to overcommitment.
Mitigation Recommendations
1. Apply the official Linux kernel patch that changes extent_changeset->bytes_changed from a 32-bit unsigned int to a 64-bit unsigned integer to prevent overflow. 2. Upgrade Linux kernels to versions that include this fix as soon as they become available from trusted distributors. 3. Until patched, monitor disk usage closely on Btrfs filesystems with quota groups enabled, especially for unusually large fallocate operations. 4. Implement stricter access controls to limit which users or processes can perform large fallocate operations or modify quota settings. 5. Use filesystem auditing tools to detect quota limit breaches or anomalous allocation patterns. 6. Consider alternative quota enforcement mechanisms or filesystems if immediate patching is not feasible. 7. Educate system administrators about this vulnerability to ensure prompt detection and response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-49075: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix qgroup reserve overflow the qgroup limit We use extent_changeset->bytes_changed in qgroup_reserve_data() to record how many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the bytes_changed is set as "unsigned int", and it will overflow if we try to fallocate a range larger than 4GiB. The result is we reserve less bytes and eventually break the qgroup limit. Unlike regular buffered/direct write, which we use one changeset for each ordered extent, which can never be larger than 256M. For fallocate, we use one changeset for the whole range, thus it no longer respects the 256M per extent limit, and caused the problem. The following example test script reproduces the problem: $ cat qgroup-overflow.sh #!/bin/bash DEV=/dev/sdj MNT=/mnt/sdj mkfs.btrfs -f $DEV mount $DEV $MNT # Set qgroup limit to 2GiB. btrfs quota enable $MNT btrfs qgroup limit 2G $MNT # Try to fallocate a 3GiB file. This should fail. echo echo "Try to fallocate a 3GiB file..." fallocate -l 3G $MNT/3G.file # Try to fallocate a 5GiB file. echo echo "Try to fallocate a 5GiB file..." fallocate -l 5G $MNT/5G.file # See we break the qgroup limit. echo sync btrfs qgroup show -r $MNT umount $MNT When running the test: $ ./qgroup-overflow.sh (...) Try to fallocate a 3GiB file... fallocate: fallocate failed: Disk quota exceeded Try to fallocate a 5GiB file... qgroupid rfer excl max_rfer -------- ---- ---- -------- 0/5 5.00GiB 5.00GiB 2.00GiB Since we have no control of how bytes_changed is used, it's better to set it to u64.
AI-Powered Analysis
Technical Analysis
CVE-2022-49075 is a vulnerability identified in the Linux kernel's Btrfs filesystem quota group (qgroup) management. The issue arises from an integer overflow in the qgroup reservation logic when handling large fallocate operations. Specifically, the variable extent_changeset->bytes_changed, which tracks the number of bytes reserved for the EXTENT_QGROUP_RESERVED state, is defined as an unsigned int (32-bit). This causes an overflow when attempting to fallocate a file larger than 4 GiB, resulting in an incorrect reservation of bytes and effectively breaking the qgroup limit enforcement. Unlike regular buffered or direct writes, which use multiple changesets capped at 256 MiB each, fallocate uses a single changeset for the entire range, bypassing this limit and triggering the overflow. The vulnerability allows a user to bypass quota restrictions by allocating files larger than the set qgroup limit, potentially leading to uncontrolled disk space usage within a quota-controlled environment. The provided test script demonstrates this by setting a 2 GiB quota limit and successfully fallocating files of 3 GiB and 5 GiB, which should have been blocked. The root cause is the 32-bit limitation of bytes_changed, and the recommended fix is to change this variable to a 64-bit unsigned integer (u64) to properly handle large allocations without overflow. This vulnerability affects Linux kernel versions identified by the given commit hash and is currently published without known exploits in the wild or an assigned CVSS score.
Potential Impact
For European organizations, especially those relying on Linux servers with Btrfs filesystems and quota management enabled, this vulnerability could lead to quota enforcement bypass. This means that users or processes could allocate more disk space than allowed, potentially exhausting storage resources unexpectedly. This can disrupt services, cause denial of service due to lack of disk space, and complicate resource management. Organizations with multi-tenant environments, shared hosting, or cloud infrastructure using Btrfs quotas are particularly at risk. The integrity of quota enforcement is critical for operational stability and cost control. While this vulnerability does not directly lead to remote code execution or privilege escalation, the ability to bypass quotas can be leveraged in combination with other vulnerabilities or misconfigurations to impact availability and operational security. Additionally, uncontrolled disk usage can lead to data loss or corruption if the filesystem becomes unstable due to overcommitment.
Mitigation Recommendations
1. Apply the official Linux kernel patch that changes extent_changeset->bytes_changed from a 32-bit unsigned int to a 64-bit unsigned integer to prevent overflow. 2. Upgrade Linux kernels to versions that include this fix as soon as they become available from trusted distributors. 3. Until patched, monitor disk usage closely on Btrfs filesystems with quota groups enabled, especially for unusually large fallocate operations. 4. Implement stricter access controls to limit which users or processes can perform large fallocate operations or modify quota settings. 5. Use filesystem auditing tools to detect quota limit breaches or anomalous allocation patterns. 6. Consider alternative quota enforcement mechanisms or filesystems if immediate patching is not feasible. 7. Educate system administrators about this vulnerability to ensure prompt detection and response.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.245Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6a9a
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:57:02 AM
Last updated: 8/9/2025, 3:55:42 PM
Views: 11
Related Threats
CVE-2025-2713: CWE-269 Improper Privilege Management in Google gVisor
MediumCVE-2025-8916: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-8914: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in WellChoose Organization Portal System
HighCVE-2025-8913: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in WellChoose Organization Portal System
CriticalCVE-2025-8912: CWE-36 Absolute Path Traversal in WellChoose Organization Portal System
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.