CVE-2022-50126

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

n the Linux kernel, the following vulnerability has been resolved: jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted Following process will fail assertion 'jh->b_frozen_data == NULL' in jbd2_journal_dirty_metadata(): jbd2_journal_commit_transaction unlink(dir/a) jh->b_transaction = trans1 jh->b_jlist = BJ_Metadata journal->j_running_transaction = NULL trans1->t_state = T_COMMIT unlink(dir/b) handle->h_trans = trans2 do_get_write_access jh->b_modified = 0 jh->b_frozen_data = frozen_buffer jh->b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // return false --> jbd2 abort <-- while (commit_transaction->t_buffers) if (is_journal_aborted) jbd2_journal_refile_buffer __jbd2_journal_refile_buffer WRITE_ONCE(jh->b_transaction, jh->b_next_transaction) WRITE_ONCE(jh->b_next_transaction, NULL) __jbd2_journal_file_buffer(jh, BJ_Reserved) J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure ! The reproducer (See detail in [Link]) reports: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1629! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: unlink Tainted: G W 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Call Trace: <TASK> __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80 After journal aborting, __jbd2_journal_refile_buffer() is executed with holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' into the area protected by @jh->b_state_lock.

References

Link	Resource
https://git.kernel.org/stable/c/0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3	Patch
https://git.kernel.org/stable/c/4a734f0869f970b8a9b65062ea40b09a5da9dba8	Patch
https://git.kernel.org/stable/c/6073389db83b903678a0920554fa19f5bdc51c48	Patch
https://git.kernel.org/stable/c/731c1662d838fe954c6759e3ee43229b0d928fe4	Patch
https://git.kernel.org/stable/c/ddd896792e1718cb84c96f3e618270589b6886dc	Patch
https://git.kernel.org/stable/c/e62f79827784f56499a50ea2e893c98317b5407b	Patch
https://git.kernel.org/stable/c/f7161d0da975adc234161cd0641d0e484f5ce375	Patch
https://git.kernel.org/stable/c/fa5b65d39332fef7a11ae99cb1f0696012a61527	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.19:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:2.6.19:rc6::::::

History

18 Nov 2025, 18:11

Type	Values Removed	Values Added
First Time		Linux linux Kernel Linux
References	~~() https://git.kernel.org/stable/c/0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3 -~~	() https://git.kernel.org/stable/c/0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3 - Patch
References	~~() https://git.kernel.org/stable/c/4a734f0869f970b8a9b65062ea40b09a5da9dba8 -~~	() https://git.kernel.org/stable/c/4a734f0869f970b8a9b65062ea40b09a5da9dba8 - Patch
References	~~() https://git.kernel.org/stable/c/6073389db83b903678a0920554fa19f5bdc51c48 -~~	() https://git.kernel.org/stable/c/6073389db83b903678a0920554fa19f5bdc51c48 - Patch
References	~~() https://git.kernel.org/stable/c/731c1662d838fe954c6759e3ee43229b0d928fe4 -~~	() https://git.kernel.org/stable/c/731c1662d838fe954c6759e3ee43229b0d928fe4 - Patch
References	~~() https://git.kernel.org/stable/c/ddd896792e1718cb84c96f3e618270589b6886dc -~~	() https://git.kernel.org/stable/c/ddd896792e1718cb84c96f3e618270589b6886dc - Patch
References	~~() https://git.kernel.org/stable/c/e62f79827784f56499a50ea2e893c98317b5407b -~~	() https://git.kernel.org/stable/c/e62f79827784f56499a50ea2e893c98317b5407b - Patch
References	~~() https://git.kernel.org/stable/c/f7161d0da975adc234161cd0641d0e484f5ce375 -~~	() https://git.kernel.org/stable/c/f7161d0da975adc234161cd0641d0e484f5ce375 - Patch
References	~~() https://git.kernel.org/stable/c/fa5b65d39332fef7a11ae99cb1f0696012a61527 -~~	() https://git.kernel.org/stable/c/fa5b65d39332fef7a11ae99cb1f0696012a61527 - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel:2.6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:2.6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:2.6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:2.6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:2.6.19:-::::::
CWE		CWE-617
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jbd2: se corrige el error de aserción 'jh->b_frozen_data == NULL' cuando se aborta el diario El siguiente proceso fallará la aserción 'jh->b_frozen_data == NULL' en jbd2_journal_dirty_metadata(): jbd2_journal_commit_transaction unlink(dir/a) jh->b_transaction = trans1 jh->b_jlist = BJ_Metadata journal->j_running_transaction = NULL trans1->t_state = T_COMMIT unlink(dir/b) handle->h_trans = trans2 do_get_write_access jh->b_modified = 0 jh->b_frozen_data = frozen_buffer jh->b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // devuelve falso --> jbd2 abort <-- while (commit_transaction->t_buffers) if (is_journal_aborted) jbd2_journal_refile_buffer __jbd2_journal_refile_buffer WRITE_ONCE(jh->b_transaction, jh->b_next_transaction) WRITE_ONCE(jh->b_next_transaction, NULL) __jbd2_journal_file_buffer(jh, BJ_Reserved) J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // ¡Fallo de aserción! El reproductor (ver detalles en [Enlace]) informa: ------------[ cortar aquí ]------------ ¡ERROR del kernel en fs/jbd2/transaction.c:1629! código de operación no válido: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: desvincular Contaminado: GW 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Rastreo de llamadas: __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80 Después de abortar el diario, se ejecuta __jbd2_journal_refile_buffer() manteniendo presionado @jh->b_state_lock. Podemos solucionarlo moviendo 'is_handle_aborted()' al área protegida por @jh->b_state_lock.

18 Jun 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-18 11:15

Updated : 2025-11-18 18:11

NVD link : CVE-2022-50126

Mitre link : CVE-2022-50126

CVE.ORG link : CVE-2022-50126

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-617

Reachable Assertion

5.5 /10