| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024050141-CVE-2024-26981-db53@gregkh>
Date: Wed, 1 May 2024 07:30:42 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-26981: nilfs2: fix OOB in nilfs_set_de_type
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix OOB in nilfs_set_de_type
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
which uses this array, specifies the index to read from the array in the
same way as "(mode & S_IFMT) >> S_SHIFT".
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
*inode)
{
umode_t mode = inode->i_mode;
de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
}
However, when the index is determined this way, an out-of-bounds (OOB)
error occurs by referring to an index that is 1 larger than the array size
when the condition "mode & S_IFMT == S_IFMT" is satisfied. Therefore, a
patch to resize the nilfs_type_by_mode array should be applied to prevent
OOB errors.
The Linux kernel CVE team has assigned CVE-2024-26981 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 5.15.157 with commit bdbe483da21f
Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.1.88 with commit 897ac5306bbe
Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.6.29 with commit 2382eae66b19
Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.8.8 with commit 90823f8d9ecc
Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.9-rc5 with commit c4a7dc9523b5
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-26981
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/nilfs2/dir.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0
https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611
https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9
https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f
https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16
Powered by blists - more mailing lists