Bug 2420347 (CVE-2022-50673)

Summary: CVE-2022-50673 kernel: ext4: fix use-after-free in ext4_orphan_cleanup
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A use-after-free vulnerability was found in the ext4 filesystem's orphan inode cleanup routine in the Linux kernel. When ext4_inode_attach_jinode() fails with -ENOMEM during orphan cleanup at mount time, the error is not properly propagated. The inode is freed via iput(), but the orphan list still references the same inode number. On the next loop iteration, the freed inode structure is reused, triggering a use-after-free when adding it to the orphan list.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-09 02:04:39 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ext4: fix use-after-free in ext4_orphan_cleanup

I caught a issue as follows:
==================================================================
 BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
 Read of size 8 at addr ffff88814b13f378 by task mount/710

 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
 Call Trace:
  <TASK>
  dump_stack_lvl+0x73/0x9f
  print_report+0x25d/0x759
  kasan_report+0xc0/0x120
  __asan_load8+0x99/0x140
  __list_add_valid+0x28/0x1a0
  ext4_orphan_cleanup+0x564/0x9d0 [ext4]
  __ext4_fill_super+0x48e2/0x5300 [ext4]
  ext4_fill_super+0x19f/0x3a0 [ext4]
  get_tree_bdev+0x27b/0x450
  ext4_get_tree+0x19/0x30 [ext4]
  vfs_get_tree+0x49/0x150
  path_mount+0xaae/0x1350
  do_mount+0xe2/0x110
  __x64_sys_mount+0xf0/0x190
  do_syscall_64+0x35/0x80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
  </TASK>
 [...]
==================================================================

Above issue may happen as follows:
-------------------------------------
ext4_fill_super
  ext4_orphan_cleanup
   --- loop1: assume last_orphan is 12 ---
    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
    ext4_truncate --> return 0
      ext4_inode_attach_jinode --> return -ENOMEM
    iput(inode) --> free inode<12>
   --- loop2: last_orphan is still 12 ---
    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
    // use inode<12> and trigger UAF

To solve this issue, we need to propagate the return value of
ext4_inode_attach_jinode() appropriately.
Comment 1 Alexander B 2025-12-09 18:43:11 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120947-CVE-2022-50673-f920@gregkh/T
Comment 7 errata-xmlrpc 2026-02-09 04:38:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2264 https://access.redhat.com/errata/RHSA-2026:2264
Comment 8 errata-xmlrpc 2026-02-10 02:00:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2378 https://access.redhat.com/errata/RHSA-2026:2378
Comment 9 errata-xmlrpc 2026-02-11 00:16:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2490 https://access.redhat.com/errata/RHSA-2026:2490
Comment 10 errata-xmlrpc 2026-02-11 16:30:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2573 https://access.redhat.com/errata/RHSA-2026:2573
Comment 11 errata-xmlrpc 2026-02-11 17:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2577 https://access.redhat.com/errata/RHSA-2026:2577
Comment 12 errata-xmlrpc 2026-02-12 15:12:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:2664 https://access.redhat.com/errata/RHSA-2026:2664
Comment 13 errata-xmlrpc 2026-02-25 00:19:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:3267 https://access.redhat.com/errata/RHSA-2026:3267
Comment 14 errata-xmlrpc 2026-02-25 04:03:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:3277 https://access.redhat.com/errata/RHSA-2026:3277
Comment 15 errata-xmlrpc 2026-02-25 14:15:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:3358 https://access.redhat.com/errata/RHSA-2026:3358
Comment 16 errata-xmlrpc 2026-02-25 15:16:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:3360 https://access.redhat.com/errata/RHSA-2026:3360
Comment 17 errata-xmlrpc 2026-03-03 09:51:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:3634 https://access.redhat.com/errata/RHSA-2026:3634
Comment 18 errata-xmlrpc 2026-03-03 20:34:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:3685 https://access.redhat.com/errata/RHSA-2026:3685