| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024102131-CVE-2024-49958-1bc6@gregkh>
Date: Mon, 21 Oct 2024 20:02:46 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-49958: ocfs2: reserve space for inline xattr before attaching reflink tree
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: reserve space for inline xattr before attaching reflink tree
One of our customers reported a crash and a corrupted ocfs2 filesystem.
The crash was due to the detection of corruption. Upon troubleshooting,
the fsck -fn output showed the below corruption
[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,
but fsck believes the largest valid value is 227. Clamp the next record value? n
The stat output from the debugfs.ocfs2 showed the following corruption
where the "Next Free Rec:" had overshot the "Count:" in the root metadata
block.
Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856)
FS Generation: 904309833 (0x35e6ac49)
CRC32: 00000000 ECC: 0000
Type: Regular Attr: 0x0 Flags: Valid
Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
Extended Attributes Block: 0 Extended Attributes Inline Size: 256
User: 0 (root) Group: 0 (root) Size: 281320357888
Links: 1 Clusters: 141738
ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
dtime: 0x0 -- Wed Dec 31 17:00:00 1969
Refcount Block: 2777346
Last Extblk: 2886943 Orphan Slot: 0
Sub Alloc Slot: 0 Sub Alloc Bit: 14
Tree Depth: 1 Count: 227 Next Free Rec: 230
## Offset Clusters Block#
0 0 2310 2776351
1 2310 2139 2777375
2 4449 1221 2778399
3 5670 731 2779423
4 6401 566 2780447
....... .... .......
....... .... .......
The issue was in the reflink workfow while reserving space for inline
xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the
time this function is called the reflink tree is already recreated at the
destination inode from the source inode. At this point, this function
reserves space for inline xattrs at the destination inode without even
checking if there is space at the root metadata block. It simply reduces
the l_count from 243 to 227 thereby making space of 256 bytes for inline
xattr whereas the inode already has extents beyond this index (in this
case up to 230), thereby causing corruption.
The fix for this is to reserve space for inline metadata at the destination
inode before the reflink tree gets recreated. The customer has verified the
fix.
The Linux kernel CVE team has assigned CVE-2024-49958 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.11 with commit ef962df057aa and fixed in 5.10.227 with commit aac31d654a0a
Issue introduced in 3.11 with commit ef962df057aa and fixed in 5.15.168 with commit 020f5c53c17f
Issue introduced in 3.11 with commit ef962df057aa and fixed in 6.1.113 with commit 5c2072f02c0d
Issue introduced in 3.11 with commit ef962df057aa and fixed in 6.6.55 with commit 637c00e06564
Issue introduced in 3.11 with commit ef962df057aa and fixed in 6.10.14 with commit 9f9a8f3ac65b
Issue introduced in 3.11 with commit ef962df057aa and fixed in 6.11.3 with commit 96ce4c353711
Issue introduced in 3.11 with commit ef962df057aa and fixed in 6.12-rc1 with commit 5ca60b86f57a
Issue introduced in 3.0.87 with commit 3a32958d2ac9
Issue introduced in 3.2.49 with commit 93f26306db89
Issue introduced in 3.4.54 with commit 26a849f49fb3
Issue introduced in 3.9.11 with commit 1e7e4c9ae2a7
Issue introduced in 3.10.2 with commit 1926bf8ae44d
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-49958
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/ocfs2/refcounttree.c
fs/ocfs2/xattr.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707
https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1
https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5
https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f
https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9
https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4
https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0
Powered by blists - more mailing lists