cve/published/2024/CVE-2024-40951.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.0.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40951: ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

 bdev->bd_super has been removed and commit 8887b94d9322 change the usage
 from bdev->bd_super to b_assoc_map->host->i_sb.  Since ocfs2 hasn't set
 bh->b_assoc_map, it will trigger NULL pointer dereference when calling
 into ocfs2_abort_trigger().

 Actually this was pointed out in history, see commit 74e364ad1b13.  But
 I've made a mistake when reviewing commit 8887b94d9322 and then
 re-introduce this regression.

 Since we cannot revive bdev in buffer head, so fix this issue by
 initializing all types of ocfs2 triggers when fill super, and then get the
 specific ocfs2 trigger from ocfs2_caching_info when access journal.

 [joseph.qi@linux.alibaba.com: v2]

 The Linux kernel CVE team has assigned CVE-2024-40951 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6 with commit 8887b94d93224e0ef7e1bc6369640e313b8b12f4 and fixed in 6.6.36 with commit 67bcecd780609f471260a8c83fb0ae15f27734ce
 	Issue introduced in 6.6 with commit 8887b94d93224e0ef7e1bc6369640e313b8b12f4 and fixed in 6.9.7 with commit eb63357ef229fae061ce7ce2839d558681c42f1a
 	Issue introduced in 6.6 with commit 8887b94d93224e0ef7e1bc6369640e313b8b12f4 and fixed in 6.10 with commit 685d03c3795378fca6a1b3d43581f7f1a3fc095f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40951
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ocfs2/journal.c
 	fs/ocfs2/ocfs2.h
 	fs/ocfs2/super.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/67bcecd780609f471260a8c83fb0ae15f27734ce
 	https://git.kernel.org/stable/c/eb63357ef229fae061ce7ce2839d558681c42f1a
 	https://git.kernel.org/stable/c/685d03c3795378fca6a1b3d43581f7f1a3fc095f
	From bippy-1.0.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40951: ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

	bdev->bd_super has been removed and commit 8887b94d9322 change the usage
	from bdev->bd_super to b_assoc_map->host->i_sb. Since ocfs2 hasn't set
	bh->b_assoc_map, it will trigger NULL pointer dereference when calling
	into ocfs2_abort_trigger().

	Actually this was pointed out in history, see commit 74e364ad1b13. But
	I've made a mistake when reviewing commit 8887b94d9322 and then
	re-introduce this regression.

	Since we cannot revive bdev in buffer head, so fix this issue by
	initializing all types of ocfs2 triggers when fill super, and then get the
	specific ocfs2 trigger from ocfs2_caching_info when access journal.

	[joseph.qi@linux.alibaba.com: v2]

	The Linux kernel CVE team has assigned CVE-2024-40951 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6 with commit 8887b94d93224e0ef7e1bc6369640e313b8b12f4 and fixed in 6.6.36 with commit 67bcecd780609f471260a8c83fb0ae15f27734ce
	Issue introduced in 6.6 with commit 8887b94d93224e0ef7e1bc6369640e313b8b12f4 and fixed in 6.9.7 with commit eb63357ef229fae061ce7ce2839d558681c42f1a
	Issue introduced in 6.6 with commit 8887b94d93224e0ef7e1bc6369640e313b8b12f4 and fixed in 6.10 with commit 685d03c3795378fca6a1b3d43581f7f1a3fc095f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40951
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ocfs2/journal.c
	fs/ocfs2/ocfs2.h
	fs/ocfs2/super.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/67bcecd780609f471260a8c83fb0ae15f27734ce
	https://git.kernel.org/stable/c/eb63357ef229fae061ce7ce2839d558681c42f1a
	https://git.kernel.org/stable/c/685d03c3795378fca6a1b3d43581f7f1a3fc095f