CVE-2021-45469: 
Alibaba Cloud Linux (Aliyun Linux) vulnerability analysis and mitigation

CVE-2021-45469 is a vulnerability discovered in the Linux kernel through version 5.15.11, specifically in the _f2fssetxattr function within fs/f2fs/xattr.c. The vulnerability was discovered by Wenqing Liu and disclosed on December 23, 2021. The issue occurs when an inode has an invalid last xattr entry, leading to an out-of-bounds memory access (Openwall List, NVD).

The vulnerability exists in the _f2fssetxattr function where there was a missing sanity check on the last xattr entry. This oversight could result in out-of-bounds memory access when processing inconsistent xattr data of the target inode. The issue was assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with low attack complexity (Kernel Bugzilla, NetApp Advisory).

When exploited, this vulnerability could lead to denial of service conditions through system crashes, potential memory corruption, or other issues when mounting and operating on a crafted image. The high CVSS score indicates potential for significant impact on system confidentiality, integrity, and availability (Debian Security, NetApp Advisory).

A fix was developed and committed by Chao Yu, which adds proper sanity checks for the last xattr entry. The patch was merged into the kernel development branch and was included in subsequent kernel releases. Various Linux distributions have released updates to address this vulnerability, including Debian (versions 4.19.232-1~deb9u1, 5.10.92-1) and Fedora (kernel-5.15.12) (Kernel Patch, Debian Security).