[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024050132-CVE-2024-26972-bf6c@gregkh>
Date: Wed, 1 May 2024 07:22:02 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-26972: ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
For error handling path in ubifs_symlink(), inode will be marked as
bad first, then iput() is invoked. If inode->i_link is initialized by
fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't
be freed by callchain ubifs_free_inode -> fscrypt_free_inode in error
handling path, because make_bad_inode() has changed 'inode->i_mode' as
'S_IFREG'.
Following kmemleak is easy to be reproduced by injecting error in
ubifs_jnl_update() when doing symlink in encryption scenario:
unreferenced object 0xffff888103da3d98 (size 8):
comm "ln", pid 1692, jiffies 4294914701 (age 12.045s)
backtrace:
kmemdup+0x32/0x70
__fscrypt_encrypt_symlink+0xed/0x1c0
ubifs_symlink+0x210/0x300 [ubifs]
vfs_symlink+0x216/0x360
do_symlinkat+0x11a/0x190
do_syscall_64+0x3b/0xe0
There are two ways fixing it:
1. Remove make_bad_inode() in error handling path. We can do that
because ubifs_evict_inode() will do same processes for good
symlink inode and bad symlink inode, for inode->i_nlink checking
is before is_bad_inode().
2. Free inode->i_link before marking inode bad.
Method 2 is picked, it has less influence, personally, I think.
The Linux kernel CVE team has assigned CVE-2024-26972 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.2 with commit 2c58d548f570 and fixed in 6.8.3 with commit 62b5ae00c2b8
Issue introduced in 5.2 with commit 2c58d548f570 and fixed in 6.9-rc1 with commit 6379b44cdcd6
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-26972
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/ubifs/dir.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae
https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa
Powered by blists - more mailing lists