| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024050128-CVE-2024-26956-94b7@gregkh> Date: Wed, 1 May 2024 07:21:46 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-26956: nilfs2: fix failure to detect DAT corruption in btree and direct mappings Description =========== In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix failure to detect DAT corruption in btree and direct mappings Patch series "nilfs2: fix kernel bug at submit_bh_wbc()". This resolves a kernel BUG reported by syzbot. Since there are two flaws involved, I've made each one a separate patch. The first patch alone resolves the syzbot-reported bug, but I think both fixes should be sent to stable, so I've tagged them as such. This patch (of 2): Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data to a nilfs2 file system whose metadata is corrupted. There are two flaws involved in this issue. The first flaw is that when nilfs_get_block() locates a data block using btree or direct mapping, if the disk address translation routine nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata corruption, it can be passed back to nilfs_get_block(). This causes nilfs_get_block() to misidentify an existing block as non-existent, causing both data block lookup and insertion to fail inconsistently. The second flaw is that nilfs_get_block() returns a successful status in this inconsistent state. This causes the caller __block_write_begin_int() or others to request a read even though the buffer is not mapped, resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc() failing. This fixes the first issue by changing the return value to code -EINVAL when a conversion using DAT fails with code -ENOENT, avoiding the conflicting condition that leads to the kernel bug described above. Here, code -EINVAL indicates that metadata corruption was detected during the block lookup, which will be properly handled as a file system error and converted to -EIO when passing through the nilfs2 bmap layer. The Linux kernel CVE team has assigned CVE-2024-26956 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 4.19.312 with commit b67189690eb4 Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 5.4.274 with commit 9cbe1ad5f435 Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 5.10.215 with commit c3b5c5c31e72 Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 5.15.154 with commit 2e2619ff5d0d Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 6.1.84 with commit 46b832e09d43 Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 6.6.24 with commit f69e81396aea Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 6.7.12 with commit a8e4d098de1c Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 6.8.3 with commit 82827ca21e7c Issue introduced in 2.6.31 with commit c3a7abf06ce7 and fixed in 6.9-rc1 with commit f2f26b4a84a0 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26956 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nilfs2/btree.c fs/nilfs2/direct.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35 https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84 https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7 https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862 https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713 https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4 https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba
Powered by blists - more mailing lists