[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <362b1e1b-dcdb-4801-a9fc-18d019e7c775@huawei.com>
Date: Thu, 13 Jun 2024 19:21:14 +0800
From: Baokun Li <libaokun1@...wei.com>
To: Gao Xiang <hsiangkao@...ux.alibaba.com>, <cve@...nel.org>,
<linux-kernel@...r.kernel.org>, <linux-cve-announce@...r.kernel.org>
CC: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Baokun Li
<libaokun@...weicloud.com>, 杨二坤 <yangerkun@...wei.com>
Subject: Re: CVE-2024-36966: erofs: reliably distinguish block based and
fscache mode
On 2024/6/13 17:38, Gao Xiang wrote:
> Hi,
>
> (+Cc Baokun Li)
>
> On 2024/6/8 20:53, Greg Kroah-Hartman wrote:
>> Description
>> ===========
>>
>> In the Linux kernel, the following vulnerability has been resolved:
>>
>> erofs: reliably distinguish block based and fscache mode
>>
>> When erofs_kill_sb() is called in block dev based mode, s_bdev may not
>> have been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,
>> it will be mistaken for fscache mode, and then attempt to free an
>> anon_dev
>> that has never been allocated, triggering the following warning:
>>
>> ============================================
>> ida_free called for id=0 which is not allocated.
>> WARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140
>> Modules linked in:
>> CPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630
>> RIP: 0010:ida_free+0x134/0x140
>> Call Trace:
>> <TASK>
>> erofs_kill_sb+0x81/0x90
>> deactivate_locked_super+0x35/0x80
>> get_tree_bdev+0x136/0x1e0
>> vfs_get_tree+0x2c/0xf0
>> do_new_mount+0x190/0x2f0
>> [...]
>> ============================================
>>
>> Now when erofs_kill_sb() is called, erofs_sb_info must have been
>> initialised, so use sbi->fsid to distinguish between the two modes.
>>
>> The Linux kernel CVE team has assigned CVE-2024-36966 to this issue.
>>
>>
>> Affected and fixed versions
>> ===========================
>>
>> Fixed in 6.6.32 with commit f9b877a7ee31
>> Fixed in 6.8.11 with commit dcdd49701e42
>> Fixed in 6.9 with commit 7af2ae1b1531
>
> For reference, this issue doesn't affect Linux kernel below 6.6.
>
> This behavior ("s_bdev may not be initialized in erofs_kill_sb()")
> is introduced due to commit aca740cecbe5 ("fs: open block device after
> superblock creation").
>
> In other words, previously .kill_sb() was called only after
> fill_super failed and problematic erofs_kill_sb() called due to
> setup_bdev_super() failure can only happen since Linux 6.6.
>
> Thanks,
> Gao Xiang
Exactly! I'm so sorry I forgot to add the Fixes tag.
Thanks,
Baokun
>
>>
>> Please see https://www.kernel.org for a full list of currently supported
>> kernel versions by the kernel community.
>>
>> Unaffected versions might change over time as fixes are backported to
>> older supported kernel versions. The official CVE entry at
>> https://cve.org/CVERecord/?id=CVE-2024-36966
>> will be updated if fixes are backported, please check that for the most
>> up to date information about this issue.
>>
>>
>> Affected files
>> ==============
>>
>> The file(s) affected by this issue are:
>> fs/erofs/super.c
>>
>>
>> Mitigation
>> ==========
>>
>> The Linux kernel CVE team recommends that you update to the latest
>> stable kernel version for this, and many other bugfixes. Individual
>> changes are never tested alone, but rather are part of a larger kernel
>> release. Cherry-picking individual commits is not recommended or
>> supported by the Linux kernel community at all. If however, updating to
>> the latest release is impossible, the individual changes to resolve this
>> issue can be found at these commits:
>> https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371
>>
>> https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe
>>
>> https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606
>>
>>
Powered by blists - more mailing lists