cve/published/2023/CVE-2023-52603.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52603: UBSAN: array-index-out-of-bounds in dtSplitRoot

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 UBSAN: array-index-out-of-bounds in dtSplitRoot

 Syzkaller reported the following issue:

 oop0: detected capacity change from 0 to 32768

 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9
 index -2 is out of range for type 'struct dtslot [128]'
 CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
  ubsan_epilogue lib/ubsan.c:151 [inline]
  __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
  dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971
  dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]
  dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863
  jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270
  vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
  do_mkdirat+0x279/0x550 fs/namei.c:4038
  __do_sys_mkdirat fs/namei.c:4053 [inline]
  __se_sys_mkdirat fs/namei.c:4051 [inline]
  __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 RIP: 0033:0x7fcdc0113fd9
 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9
 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0
 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000
 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000
  </TASK>

 The issue is caused when the value of fsi becomes less than -1.
 The check to break the loop when fsi value becomes -1 is present
 but syzbot was able to produce value less than -1 which cause the error.
 This patch simply add the change for the values less than 0.

 The patch is tested via syzbot.

 The Linux kernel CVE team has assigned CVE-2023-52603 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.307 with commit e30b52a2ea3d1e0aaee68096957cf90a2f4ec5af
 	Fixed in 5.4.269 with commit fd3486a893778770557649fe28afa5e463d4ed07
 	Fixed in 5.10.210 with commit 7aa33854477d9c346f5560a1a1fcb3fe7783e2a8
 	Fixed in 5.15.149 with commit e4ce01c25ccbea02a09a5291c21749b1fc358e39
 	Fixed in 6.1.77 with commit e4cbc857d75d4e22a1f75446e7480b1f305d8d60
 	Fixed in 6.6.16 with commit edff092a59260bf0b0a2eba219cb3da6372c2f9f
 	Fixed in 6.7.4 with commit 6e2902ecc77e9760a9fc447f56d598383e2372d2
 	Fixed in 6.8 with commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52603
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/jfs/jfs_dtree.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e30b52a2ea3d1e0aaee68096957cf90a2f4ec5af
 	https://git.kernel.org/stable/c/fd3486a893778770557649fe28afa5e463d4ed07
 	https://git.kernel.org/stable/c/7aa33854477d9c346f5560a1a1fcb3fe7783e2a8
 	https://git.kernel.org/stable/c/e4ce01c25ccbea02a09a5291c21749b1fc358e39
 	https://git.kernel.org/stable/c/e4cbc857d75d4e22a1f75446e7480b1f305d8d60
 	https://git.kernel.org/stable/c/edff092a59260bf0b0a2eba219cb3da6372c2f9f
 	https://git.kernel.org/stable/c/6e2902ecc77e9760a9fc447f56d598383e2372d2
 	https://git.kernel.org/stable/c/27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52603: UBSAN: array-index-out-of-bounds in dtSplitRoot

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	UBSAN: array-index-out-of-bounds in dtSplitRoot

	Syzkaller reported the following issue:

	oop0: detected capacity change from 0 to 32768

	UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9
	index -2 is out of range for type 'struct dtslot [128]'
	CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
	ubsan_epilogue lib/ubsan.c:151 [inline]
	__ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
	dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971
	dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]
	dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863
	jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270
	vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
	do_mkdirat+0x279/0x550 fs/namei.c:4038
	__do_sys_mkdirat fs/namei.c:4053 [inline]
	__se_sys_mkdirat fs/namei.c:4051 [inline]
	__x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x63/0xcd
	RIP: 0033:0x7fcdc0113fd9
	Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
	RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9
	RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
	RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0
	R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000
	R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000
	</TASK>

	The issue is caused when the value of fsi becomes less than -1.
	The check to break the loop when fsi value becomes -1 is present
	but syzbot was able to produce value less than -1 which cause the error.
	This patch simply add the change for the values less than 0.

	The patch is tested via syzbot.

	The Linux kernel CVE team has assigned CVE-2023-52603 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.307 with commit e30b52a2ea3d1e0aaee68096957cf90a2f4ec5af
	Fixed in 5.4.269 with commit fd3486a893778770557649fe28afa5e463d4ed07
	Fixed in 5.10.210 with commit 7aa33854477d9c346f5560a1a1fcb3fe7783e2a8
	Fixed in 5.15.149 with commit e4ce01c25ccbea02a09a5291c21749b1fc358e39
	Fixed in 6.1.77 with commit e4cbc857d75d4e22a1f75446e7480b1f305d8d60
	Fixed in 6.6.16 with commit edff092a59260bf0b0a2eba219cb3da6372c2f9f
	Fixed in 6.7.4 with commit 6e2902ecc77e9760a9fc447f56d598383e2372d2
	Fixed in 6.8 with commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52603
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/jfs/jfs_dtree.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e30b52a2ea3d1e0aaee68096957cf90a2f4ec5af
	https://git.kernel.org/stable/c/fd3486a893778770557649fe28afa5e463d4ed07
	https://git.kernel.org/stable/c/7aa33854477d9c346f5560a1a1fcb3fe7783e2a8
	https://git.kernel.org/stable/c/e4ce01c25ccbea02a09a5291c21749b1fc358e39
	https://git.kernel.org/stable/c/e4cbc857d75d4e22a1f75446e7480b1f305d8d60
	https://git.kernel.org/stable/c/edff092a59260bf0b0a2eba219cb3da6372c2f9f
	https://git.kernel.org/stable/c/6e2902ecc77e9760a9fc447f56d598383e2372d2
	https://git.kernel.org/stable/c/27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16