Bug 2425151 (CVE-2022-50743) - CVE-2022-50743 kernel: erofs: Fix pcluster memleak when its block address is zero
Summary: CVE-2022-50743 kernel: erofs: Fix pcluster memleak when its block address is ...
Keywords:
Status: NEW
Alias: CVE-2022-50743
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-24 14:06 UTC by OSIDB Bzimport
Modified: 2025-12-24 22:53 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-24 14:06:45 UTC 
In the Linux kernel, the following vulnerability has been resolved:

erofs: Fix pcluster memleak when its block address is zero

syzkaller reported a memleak:
https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed

unreferenced object 0xffff88811009c7f8 (size 136):
  ...
  backtrace:
    [<ffffffff821db19b>] z_erofs_do_read_page+0x99b/0x1740
    [<ffffffff821dee9e>] z_erofs_readahead+0x24e/0x580
    [<ffffffff814bc0d6>] read_pages+0x86/0x3d0
    ...

syzkaller constructed a case: in z_erofs_register_pcluster(),
ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be
zero although pcl is not a inline pcluster.

Then following path adds refcount for grp, but the refcount won't be put
because pcl is inline.

z_erofs_readahead()
  z_erofs_do_read_page() # for another page
    z_erofs_collector_begin()
      erofs_find_workgroup()
        erofs_workgroup_get()

Since it's illegal for the block address of a non-inlined pcluster to
be zero, add check here to avoid registering the pcluster which would
be leaked.
Comment 1 Alexander B 2025-12-24 22:49:01 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025122449-CVE-2022-50743-8e63@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.