CVE CyberSecurity Database News

CVE-2022-49282 - Critical Null Pointer Dereference in Linux F2FS Quota Sync Fixed

Poster -

A severe bug was found in the Linux kernel's f2fs (Flash-Friendly File System) subsystem that could trigger a system crash (kernel panic) due to a null pointer dereference. Assigned CVE-2022-49282, this vulnerability allowed unprivileged local users to potentially crash affected systems running vulnerable kernels using F2FS with quotas enabled.

This post explains the root cause of the bug, how it was fixed, and provides clear examples and resources for further research.

What Happened? (Explained Simply)

When the file system (f2fs) on Linux tries to synchronize its disk quotas via the f2fs_quota_sync() function, there was a programming mistake: the loop that checked if quotas were active was using the wrong variable for its logic.

- What should have happened: The function was supposed to loop through all quota types (like user, group, project) and check if each one was active before syncing it.
- What actually happened: The check accidentally used the wrong variable, so under some conditions, inactive quotas could be accessed as if they were valid. If that happened, the code could try to access a NULL value, causing a kernel oops and panic.

Sample problematic code (before the fix, simplified)

for (type = ; type < MAXQUOTAS; type++) {
    if (!sb_has_quota_active(sb, type))
        continue;
    inode_lock(dqopt->files[type]); // Potential NULL dereference!
    // ... do the sync ...
}

Real Problem:
The function passed the wrong argument (type) to sb_has_quota_active(). Worse, the compiler might optimize away this check for certain values, particularly -1, leading to skipping the safety check entirely.

When type == -1 (or other wrong values) the quota file pointer is NULL, so inode_lock(dqopt->files[type]) = *crash*.

Here's a snippet from a reported crash caused by this bug

[    2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a
...
[    2.800116] Kernel panic - not syncing: Fatal exception

Key lines

- f2fs_quota_sync+x100/x294
- down_write+x28/x70
- block_operations+x120/x204

Kernel panic - not syncing: Fatal exception

This shows the system failed while syncing quotas in the f2fs kernel thread, and after a fatal dereference of a NULL pointer, it shut down to prevent further damage.

Technical Details: The Vulnerability

- Location: f2fs/super.c, function f2fs_quota_sync()
- Root Cause: Wrong argument (type instead of cnt) passed to sb_has_quota_active(). Under certain conditions, the loop could process an uninitialized or NULL quota file pointer.
- Impact: Unprivileged local user could trigger a kernel panic by causing quota sync on a volume with this bug, leading to a denial of service.

The Fix

The fix was simple but crucial: pass the correct variable to the sb_has_quota_active() function in the loop, making sure that only active quotas are synced and no null pointers are dereferenced.

Before (Vulnerable)

for (type = ; type < MAXQUOTAS; type++) {
    if (!sb_has_quota_active(sb, type))
        continue;
    inode_lock(dqopt->files[type]);
    // ...
}

After (Patched)

for (cnt = ; cnt < MAXQUOTAS; cnt++) {
    if (!sb_has_quota_active(sb, cnt))
        continue;
    inode_lock(dqopt->files[cnt]);
    // ...
}

Now, the loop variable and the argument are always in sync, preventing null dereferences.

Patch reference:
- Commit: f2fs: quota: fix loop condition at f2fs_quota_sync()

How Could This Be Exploited?

While this is not a remote exploit, any local user (even unprivileged) who could trigger a quota sync—such as mounting or unmounting an F2FS filesystem with quotas enabled, or using standard disk commands—could crash the entire system.

Any device using F2FS with quotas enabled (popular on Android devices and Linux laptops with flash storage) was potentially at risk.

Mitigation and Fix

- Update your Linux kernel to a version including the fixed patch (merged in Linux 6.+ and backported to supported LTS releases like 5.15, 5.10).

If unable to update, disable quotas on F2FS or avoid using F2FS until patched.

- Distributions like Ubuntu, Debian, Red Hat, and Android changed their kernels to fix this issue rapidly after disclosure.

References and Further Reading

- Linux Kernel Patch Commit
- linux-distros kernel CVE tracker
- f2fs quota sync routine discussion
- Phoronix coverage: Kernel f2fs Quota Bug

Summary for Admins and Users

If you use F2FS with quotas, patch now! This bug can take out your whole server, phone, or laptop.
Check your kernel version, or reach out to your vendor to confirm they’ve backported the fix for CVE-2022-49282.


*Stay secure—and always double-check those kernel updates!*

Timeline

Published on: 02/26/2025 07:01:05 UTC
Last modified on: 04/14/2025 20:09:48 UTC