cve/published/2024/CVE-2024-47736.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47736: erofs: handle overlapped pclusters out of crafted images properly

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 erofs: handle overlapped pclusters out of crafted images properly

 syzbot reported a task hang issue due to a deadlock case where it is
 waiting for the folio lock of a cached folio that will be used for
 cache I/Os.

 After looking into the crafted fuzzed image, I found it's formed with
 several overlapped big pclusters as below:

  Ext:   logical offset   |  length :     physical offset    |  length
    0:        0..   16384 |   16384 :     151552..    167936 |   16384
    1:    16384..   32768 |   16384 :     155648..    172032 |   16384
    2:    32768..   49152 |   16384 :  537223168.. 537239552 |   16384
 ...

 Here, extent 0/1 are physically overlapped although it's entirely
 _impossible_ for normal filesystem images generated by mkfs.

 First, managed folios containing compressed data will be marked as
 up-to-date and then unlocked immediately (unlike in-place folios) when
 compressed I/Os are complete.  If physical blocks are not submitted in
 the incremental order, there should be separate BIOs to avoid dependency
 issues.  However, the current code mis-arranges z_erofs_fill_bio_vec()
 and BIO submission which causes unexpected BIO waits.

 Second, managed folios will be connected to their own pclusters for
 efficient inter-queries.  However, this is somewhat hard to implement
 easily if overlapped big pclusters exist.  Again, these only appear in
 fuzzed images so let's simply fall back to temporary short-lived pages
 for correctness.

 Additionally, it justifies that referenced managed folios cannot be
 truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
 up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
 difference.

 The Linux kernel CVE team has assigned CVE-2024-47736 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.6.72 with commit 1bf7e414cac303c9aec1be67872e19be8b64980c
 	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.10.13 with commit b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8
 	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.11.2 with commit 9cfa199bcbbbba31cbf97b2786f44f4464f3f29a
 	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.12 with commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47736
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/erofs/zdata.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1bf7e414cac303c9aec1be67872e19be8b64980c
 	https://git.kernel.org/stable/c/b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8
 	https://git.kernel.org/stable/c/9cfa199bcbbbba31cbf97b2786f44f4464f3f29a
 	https://git.kernel.org/stable/c/9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47736: erofs: handle overlapped pclusters out of crafted images properly

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	erofs: handle overlapped pclusters out of crafted images properly

	syzbot reported a task hang issue due to a deadlock case where it is
	waiting for the folio lock of a cached folio that will be used for
	cache I/Os.

	After looking into the crafted fuzzed image, I found it's formed with
	several overlapped big pclusters as below:

	Ext: logical offset \| length : physical offset \| length
	0: 0.. 16384 \| 16384 : 151552.. 167936 \| 16384
	1: 16384.. 32768 \| 16384 : 155648.. 172032 \| 16384
	2: 32768.. 49152 \| 16384 : 537223168.. 537239552 \| 16384
	...

	Here, extent 0/1 are physically overlapped although it's entirely
	_impossible_ for normal filesystem images generated by mkfs.

	First, managed folios containing compressed data will be marked as
	up-to-date and then unlocked immediately (unlike in-place folios) when
	compressed I/Os are complete. If physical blocks are not submitted in
	the incremental order, there should be separate BIOs to avoid dependency
	issues. However, the current code mis-arranges z_erofs_fill_bio_vec()
	and BIO submission which causes unexpected BIO waits.

	Second, managed folios will be connected to their own pclusters for
	efficient inter-queries. However, this is somewhat hard to implement
	easily if overlapped big pclusters exist. Again, these only appear in
	fuzzed images so let's simply fall back to temporary short-lived pages
	for correctness.

	Additionally, it justifies that referenced managed folios cannot be
	truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
	up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
	difference.

	The Linux kernel CVE team has assigned CVE-2024-47736 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.6.72 with commit 1bf7e414cac303c9aec1be67872e19be8b64980c
	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.10.13 with commit b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8
	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.11.2 with commit 9cfa199bcbbbba31cbf97b2786f44f4464f3f29a
	Issue introduced in 5.13 with commit 8e6c8fa9f2e95c88a642521a5da19a8e31748846 and fixed in 6.12 with commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47736
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/erofs/zdata.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1bf7e414cac303c9aec1be67872e19be8b64980c
	https://git.kernel.org/stable/c/b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8
	https://git.kernel.org/stable/c/9cfa199bcbbbba31cbf97b2786f44f4464f3f29a
	https://git.kernel.org/stable/c/9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50