2250 – [ANCK 4.19] fix CVE-2022-3202

Bug 2250 - [ANCK 4.19] fix CVE-2022-3202

Summary: [ANCK 4.19] fix CVE-2022-3202

Status:	RESOLVED FIXED

Alias:	None

Product:	ANCK 4.19 Dev
Classification:	ANCK
Component:	fs (show other bugs)	fs
Sub Component:
Version:	unspecified
Hardware:	All Linux

Importance:	P3-Medium S3-normal
Target Milestone:	---
Assignee:	tangbinzy
QA Contact:	shuming

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-22 15:03 UTC by tangbinzy
Modified:	2022-09-23 09:40 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tangbinzy cmss_group

2022-09-22 15:03:02 UTC

一、漏洞信息
漏洞编号： CVE-2022-3202
漏洞归属组件： JFS
漏洞归属的版本：主线5.18之前，4.19
CVSS V3.0分值：7.1
漏洞简述：
A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.
漏洞公开时间：2022-9-14
漏洞创建时间：2019-4-15
漏洞详情参考链接：https://nvd.nist.gov/vuln/detail/CVE-2022-3202

二 漏洞解决
   因涉及主线5.18版本之前，故cloud Linux kernel 4.19和5.10都需要更新，社区补丁：
   
   1、commit 9d574f985fe33efd6911f4d752de6f485a1ea732 jfs: fix GPF in diFree
   2、commit a53046291020ec41e09181396c1e829287b48d47 jfs: prevent NULL deref in diFree

Comment 1 Joseph Qi alibaba_cloud_group

2022-09-23 09:40:25 UTC

Merged:
https://gitee.com/anolis/cloud-kernel/pulls/730

BTW, could you please file another bug for ANCK 5.10 and post a PR as well? Thanks.