cve/published/2024/CVE-2024-42305.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42305: ext4: check dot and dotdot of dx_root before making dir indexed

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ext4: check dot and dotdot of dx_root before making dir indexed

 Syzbot reports a issue as follows:
 ============================================
 BUG: unable to handle page fault for address: ffffed11022e24fe
 PGD 23ffee067 P4D 23ffee067 PUD 0
 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
 CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0
 Call Trace:
  <TASK>
  make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341
  ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451
  ext4_rename fs/ext4/namei.c:3936 [inline]
  ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214
 [...]
 ============================================

 The immediate cause of this problem is that there is only one valid dentry
 for the block to be split during do_split, so split==0 results in out of
 bounds accesses to the map triggering the issue.

     do_split
       unsigned split
       dx_make_map
        count = 1
       split = count/2 = 0;
       continued = hash2 == map[split - 1].hash;
        ---> map[4294967295]

 The maximum length of a filename is 255 and the minimum block size is 1024,
 so it is always guaranteed that the number of entries is greater than or
 equal to 2 when do_split() is called.

 But syzbot's crafted image has no dot and dotdot in dir, and the dentry
 distribution in dirblock is as follows:

   bus     dentry1          hole           dentry2           free
 |xx--|xx-------------|...............|xx-------------|...............|
 0   12 (8+248)=256  268     256     524 (8+256)=264 788     236     1024

 So when renaming dentry1 increases its name_len length by 1, neither hole
 nor free is sufficient to hold the new dentry, and make_indexed_dir() is
 called.

 In make_indexed_dir() it is assumed that the first two entries of the
 dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root
 because they are treated as dot and dotdot, and only dentry2 is moved
 to the new leaf block. That's why count is equal to 1.

 Therefore add the ext4_check_dx_root() helper function to add more sanity
 checks to dot and dotdot before starting the conversion to avoid the above
 issue.

 The Linux kernel CVE team has assigned CVE-2024-42305 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 4.19.320 with commit b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db
 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 5.4.282 with commit 19e13b4d7f0303186fcc891aba8d0de7c8fdbda8
 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 5.10.224 with commit 42d420517072028fb0eb852c358056b7717ba5aa
 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 5.15.165 with commit 8afe06ed3be7a874b3cd82ef5f8959aca8d6429a
 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.1.103 with commit abb411ac991810c0bcbe51c2e76d2502bf611b5c
 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.6.44 with commit 9d241b7a39af192d1bb422714a458982c7cc67a2
 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.10.3 with commit cdd345321699042ece4a9d2e70754d2397d378c5
 	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.11 with commit 50ea741def587a64e08879ce6c6a30131f7111e7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42305
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ext4/namei.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db
 	https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8
 	https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa
 	https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a
 	https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c
 	https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2
 	https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5
 	https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42305: ext4: check dot and dotdot of dx_root before making dir indexed

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ext4: check dot and dotdot of dx_root before making dir indexed

	Syzbot reports a issue as follows:
	============================================
	BUG: unable to handle page fault for address: ffffed11022e24fe
	PGD 23ffee067 P4D 23ffee067 PUD 0
	Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
	CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0
	Call Trace:
	<TASK>
	make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341
	ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451
	ext4_rename fs/ext4/namei.c:3936 [inline]
	ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214
	[...]
	============================================

	The immediate cause of this problem is that there is only one valid dentry
	for the block to be split during do_split, so split==0 results in out of
	bounds accesses to the map triggering the issue.

	do_split
	unsigned split
	dx_make_map
	count = 1
	split = count/2 = 0;
	continued = hash2 == map[split - 1].hash;
	---> map[4294967295]

	The maximum length of a filename is 255 and the minimum block size is 1024,
	so it is always guaranteed that the number of entries is greater than or
	equal to 2 when do_split() is called.

	But syzbot's crafted image has no dot and dotdot in dir, and the dentry
	distribution in dirblock is as follows:

	bus dentry1 hole dentry2 free
	\|xx--\|xx-------------\|...............\|xx-------------\|...............\|
	0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024

	So when renaming dentry1 increases its name_len length by 1, neither hole
	nor free is sufficient to hold the new dentry, and make_indexed_dir() is
	called.

	In make_indexed_dir() it is assumed that the first two entries of the
	dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root
	because they are treated as dot and dotdot, and only dentry2 is moved
	to the new leaf block. That's why count is equal to 1.

	Therefore add the ext4_check_dx_root() helper function to add more sanity
	checks to dot and dotdot before starting the conversion to avoid the above
	issue.

	The Linux kernel CVE team has assigned CVE-2024-42305 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 4.19.320 with commit b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db
	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 5.4.282 with commit 19e13b4d7f0303186fcc891aba8d0de7c8fdbda8
	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 5.10.224 with commit 42d420517072028fb0eb852c358056b7717ba5aa
	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 5.15.165 with commit 8afe06ed3be7a874b3cd82ef5f8959aca8d6429a
	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.1.103 with commit abb411ac991810c0bcbe51c2e76d2502bf611b5c
	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.6.44 with commit 9d241b7a39af192d1bb422714a458982c7cc67a2
	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.10.3 with commit cdd345321699042ece4a9d2e70754d2397d378c5
	Issue introduced in 2.6.19 with commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and fixed in 6.11 with commit 50ea741def587a64e08879ce6c6a30131f7111e7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42305
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ext4/namei.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db
	https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8
	https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa
	https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a
	https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c
	https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2
	https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5
	https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7