{ "threat_severity" : "Moderate", "public_date" : "2025-12-09T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: fix bug_on in __es_tree_search caused by bad boot loader inode", "id" : "2420266", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420266" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix bug_on in __es_tree_search caused by bad boot loader inode\nWe got a issue as fllows:\n==================================================================\nkernel BUG at fs/ext4/extents_status.c:203!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349\nRIP: 0010:ext4_es_end.isra.0+0x34/0x42\nRSP: 0018:ffffc9000143b768 EFLAGS: 00010203\nRAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff\nRBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0\nR13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000\nFS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n__es_tree_search.isra.0+0x6d/0xf5\next4_es_cache_extent+0xfa/0x230\next4_cache_extents+0xd2/0x110\next4_find_extent+0x5d5/0x8c0\next4_ext_map_blocks+0x9c/0x1d30\next4_map_blocks+0x431/0xa50\next4_mpage_readpages+0x48e/0xe40\next4_readahead+0x47/0x50\nread_pages+0x82/0x530\npage_cache_ra_unbounded+0x199/0x2a0\ndo_page_cache_ra+0x47/0x70\npage_cache_ra_order+0x242/0x400\nondemand_readahead+0x1e8/0x4b0\npage_cache_sync_ra+0xf4/0x110\nfilemap_get_pages+0x131/0xb20\nfilemap_read+0xda/0x4b0\ngeneric_file_read_iter+0x13a/0x250\next4_file_read_iter+0x59/0x1d0\nvfs_read+0x28f/0x460\nksys_read+0x73/0x160\n__x64_sys_read+0x1e/0x30\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n==================================================================\nIn the above issue, ioctl invokes the swap_inode_boot_loader function to\nswap inode<5> and inode<12>. However, inode<5> contain incorrect imode and\ndisordered extents, and i_nlink is set to 1. The extents check for inode in\nthe ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.\nWhile links_count is set to 1, the extents are not initialized in\nswap_inode_boot_loader. After the ioctl command is executed successfully,\nthe extents are swapped to inode<12>, in this case, run the `cat` command\nto view inode<12>. And Bug_ON is triggered due to the incorrect extents.\nWhen the boot loader inode is not initialized, its imode can be one of the\nfollowing:\n1) the imode is a bad type, which is marked as bad_inode in ext4_iget and\nset to S_IFREG.\n2) the imode is good type but not S_IFREG.\n3) the imode is S_IFREG.\nThe BUG_ON may be triggered by bypassing the check in cases 1 and 2.\nTherefore, when the boot loader inode is bad_inode or its imode is not\nS_IFREG, initialize the inode to avoid triggering the BUG.", "A flaw was identified in the ext4 filesystem implementation in the Linux kernel where a malformed or improperly initialized boot loader inode could trigger a BUG_ON() condition inside the __es_tree_search() function. This occurs when the inode’s mode (imode) is an unexpected type and the code does not properly handle it, leading to a deliberate kernel bug assertion and invalid opcode execution. Under certain conditions, this flaw can be triggered by local filesystem operations, causing a kernel crash" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50638\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50638\nhttps://lore.kernel.org/linux-cve-announce/2025120935-CVE-2022-50638-fb89@gregkh/T" ], "name" : "CVE-2022-50638", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }