CVE-2022-49347: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in ext4_writepages we got issue as follows: EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls ------------[ cut here ]------------ kernel BUG at fs/ext4/inode.c:2708! invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155 RIP: 0010:ext4_writepages+0x1977/0x1c10 RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000 RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002 RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000 R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001 R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028 FS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> do_writepages+0x130/0x3a0 filemap_fdatawrite_wbc+0x83/0xa0 filemap_flush+0xab/0xe0 ext4_alloc_da_blocks+0x51/0x120 __ext4_ioctl+0x1534/0x3210 __x64_sys_ioctl+0x12c/0x170 do_syscall_64+0x3b/0x90 It may happen as follows: 1. write inline_data inode vfs_write new_sync_write ext4_file_write_iter ext4_buffered_write_iter generic_perform_write ext4_da_write_begin ext4_da_write_inline_data_begin -> If inline data size too small will allocate block to write, then mapping will has dirty page ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA 2. fallocate do_vfs_ioctl ioctl_preallocate vfs_fallocate ext4_fallocate ext4_convert_inline_data ext4_convert_inline_data_nolock ext4_map_blocks -> fail will goto restore data ext4_restore_inline_data ext4_create_inline_data ext4_write_inline_data ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA 3. writepages __ext4_ioctl ext4_alloc_da_blocks filemap_flush filemap_fdatawrite_wbc do_writepages ext4_writepages if (ext4_has_inline_data(inode)) BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) The root cause of this issue is we destory inline data until call ext4_writepages under delay allocation mode. But there maybe already convert from inline to extent. To solve this issue, we call filemap_flush first..
AI Analysis
Technical Summary
CVE-2022-49347 is a vulnerability in the Linux kernel's ext4 filesystem implementation, specifically in the ext4_writepages function. The flaw arises from improper handling of inline data during delayed allocation mode. Inline data is a feature where small files or file fragments are stored directly within the inode to optimize storage and performance. The vulnerability manifests when ext4_writepages attempts to write pages for an inode that has transitioned from inline data storage to extent-based storage without proper synchronization. This leads to a kernel BUG triggered by inconsistent block bitmap and block group descriptor states, causing a crash or kernel panic. The root cause is that ext4_writepages destroys inline data without ensuring that the conversion from inline data to extents has fully completed, resulting in corrupted metadata and invalid opcode exceptions. The detailed call trace shows that the issue occurs during write operations involving inline data, fallocate system calls, and the subsequent flushing of file pages. The bug can cause filesystem errors, data corruption, and system instability. Although no known exploits are reported in the wild, the vulnerability affects Linux kernel versions prior to the fix committed around early 2025. The vulnerability is critical because it impacts the core filesystem layer, which is fundamental to system stability and data integrity. The fix involves ensuring filemap_flush is called before destroying inline data to maintain consistency between inline data and extent mappings.
Potential Impact
For European organizations, this vulnerability poses a significant risk to servers and systems running Linux with ext4 filesystems, which are widely deployed across enterprise environments, cloud infrastructures, and critical services. Exploitation can lead to kernel crashes, resulting in denial of service and potential data corruption or loss. This is particularly impactful for industries relying on high availability and data integrity such as finance, healthcare, telecommunications, and government services. Systems used for virtualization, containerization, or cloud hosting that utilize ext4 may experience instability or outages, disrupting business operations. Although exploitation requires local code execution or privileged access, attackers who gain such access could leverage this vulnerability to cause system crashes and data integrity issues. The lack of known exploits reduces immediate risk, but the severity of potential impact necessitates prompt patching. Additionally, forensic investigations and incident response could be complicated by filesystem inconsistencies caused by this bug.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49347 as soon as they become available from trusted sources such as the Linux kernel mailing list or vendor security advisories. 2. For organizations using custom or long-term support kernels, backport the fix to maintain stability. 3. Implement strict access controls and monitoring to prevent unauthorized local access that could lead to exploitation. 4. Regularly back up critical data and verify filesystem integrity using tools like e2fsck to detect and repair ext4 inconsistencies. 5. Consider using alternative filesystems with robust inline data handling if ext4 is not a strict requirement. 6. Monitor kernel logs for ext4 errors or BUG_ON triggers that may indicate attempts to exploit this vulnerability or filesystem corruption. 7. In virtualized or container environments, isolate workloads to limit the blast radius of potential kernel crashes. 8. Educate system administrators about the risks of delayed allocation and inline data features and encourage cautious use of fallocate and related system calls on ext4 volumes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49347: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in ext4_writepages we got issue as follows: EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls ------------[ cut here ]------------ kernel BUG at fs/ext4/inode.c:2708! invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155 RIP: 0010:ext4_writepages+0x1977/0x1c10 RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000 RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002 RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000 R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001 R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028 FS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> do_writepages+0x130/0x3a0 filemap_fdatawrite_wbc+0x83/0xa0 filemap_flush+0xab/0xe0 ext4_alloc_da_blocks+0x51/0x120 __ext4_ioctl+0x1534/0x3210 __x64_sys_ioctl+0x12c/0x170 do_syscall_64+0x3b/0x90 It may happen as follows: 1. write inline_data inode vfs_write new_sync_write ext4_file_write_iter ext4_buffered_write_iter generic_perform_write ext4_da_write_begin ext4_da_write_inline_data_begin -> If inline data size too small will allocate block to write, then mapping will has dirty page ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA 2. fallocate do_vfs_ioctl ioctl_preallocate vfs_fallocate ext4_fallocate ext4_convert_inline_data ext4_convert_inline_data_nolock ext4_map_blocks -> fail will goto restore data ext4_restore_inline_data ext4_create_inline_data ext4_write_inline_data ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA 3. writepages __ext4_ioctl ext4_alloc_da_blocks filemap_flush filemap_fdatawrite_wbc do_writepages ext4_writepages if (ext4_has_inline_data(inode)) BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) The root cause of this issue is we destory inline data until call ext4_writepages under delay allocation mode. But there maybe already convert from inline to extent. To solve this issue, we call filemap_flush first..
AI-Powered Analysis
Technical Analysis
CVE-2022-49347 is a vulnerability in the Linux kernel's ext4 filesystem implementation, specifically in the ext4_writepages function. The flaw arises from improper handling of inline data during delayed allocation mode. Inline data is a feature where small files or file fragments are stored directly within the inode to optimize storage and performance. The vulnerability manifests when ext4_writepages attempts to write pages for an inode that has transitioned from inline data storage to extent-based storage without proper synchronization. This leads to a kernel BUG triggered by inconsistent block bitmap and block group descriptor states, causing a crash or kernel panic. The root cause is that ext4_writepages destroys inline data without ensuring that the conversion from inline data to extents has fully completed, resulting in corrupted metadata and invalid opcode exceptions. The detailed call trace shows that the issue occurs during write operations involving inline data, fallocate system calls, and the subsequent flushing of file pages. The bug can cause filesystem errors, data corruption, and system instability. Although no known exploits are reported in the wild, the vulnerability affects Linux kernel versions prior to the fix committed around early 2025. The vulnerability is critical because it impacts the core filesystem layer, which is fundamental to system stability and data integrity. The fix involves ensuring filemap_flush is called before destroying inline data to maintain consistency between inline data and extent mappings.
Potential Impact
For European organizations, this vulnerability poses a significant risk to servers and systems running Linux with ext4 filesystems, which are widely deployed across enterprise environments, cloud infrastructures, and critical services. Exploitation can lead to kernel crashes, resulting in denial of service and potential data corruption or loss. This is particularly impactful for industries relying on high availability and data integrity such as finance, healthcare, telecommunications, and government services. Systems used for virtualization, containerization, or cloud hosting that utilize ext4 may experience instability or outages, disrupting business operations. Although exploitation requires local code execution or privileged access, attackers who gain such access could leverage this vulnerability to cause system crashes and data integrity issues. The lack of known exploits reduces immediate risk, but the severity of potential impact necessitates prompt patching. Additionally, forensic investigations and incident response could be complicated by filesystem inconsistencies caused by this bug.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49347 as soon as they become available from trusted sources such as the Linux kernel mailing list or vendor security advisories. 2. For organizations using custom or long-term support kernels, backport the fix to maintain stability. 3. Implement strict access controls and monitoring to prevent unauthorized local access that could lead to exploitation. 4. Regularly back up critical data and verify filesystem integrity using tools like e2fsck to detect and repair ext4 inconsistencies. 5. Consider using alternative filesystems with robust inline data handling if ext4 is not a strict requirement. 6. Monitor kernel logs for ext4 errors or BUG_ON triggers that may indicate attempts to exploit this vulnerability or filesystem corruption. 7. In virtualized or container environments, isolate workloads to limit the blast radius of potential kernel crashes. 8. Educate system administrators about the risks of delayed allocation and inline data features and encourage cautious use of fallocate and related system calls on ext4 volumes.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.543Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe5721
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 6:10:52 AM
Last updated: 8/1/2025, 1:08:27 AM
Views: 11
Related Threats
CVE-2025-49559: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) in Adobe Adobe Commerce
MediumCVE-2025-49558: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) in Adobe Adobe Commerce
MediumCVE-2025-49557: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Commerce
HighCVE-2025-49556: Incorrect Authorization (CWE-863) in Adobe Adobe Commerce
HighCVE-2025-49555: Cross-Site Request Forgery (CSRF) (CWE-352) in Adobe Adobe Commerce
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.