cve/published/2024/CVE-2024-56598.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56598: jfs: array-index-out-of-bounds fix in dtReadFirst

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 jfs: array-index-out-of-bounds fix in dtReadFirst

 The value of stbl can be sometimes out of bounds due
 to a bad filesystem. Added a check with appopriate return
 of error code in that case.

 The Linux kernel CVE team has assigned CVE-2024-56598 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.287 with commit 25f1e673ef61d6bf9a6022e27936785896d74948
 	Fixed in 5.10.231 with commit 8c97a4d5463a1c972ef576ac499ea9b05f956097
 	Fixed in 5.15.174 with commit 823d573f5450ca6be80b36f54d1902ac7cd23fb9
 	Fixed in 6.1.120 with commit 2eea5fda5556ef03defebf07b0a12fcd2c5210f4
 	Fixed in 6.6.66 with commit fd993b2180b4c373af8b99aa28d4dcda5c2a8f10
 	Fixed in 6.12.5 with commit 22dcbf7661c6ffc3247978c254dc40b833a0d429
 	Fixed in 6.13 with commit ca84a2c9be482836b86d780244f0357e5a778c46

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56598
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/jfs/jfs_dtree.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/25f1e673ef61d6bf9a6022e27936785896d74948
 	https://git.kernel.org/stable/c/8c97a4d5463a1c972ef576ac499ea9b05f956097
 	https://git.kernel.org/stable/c/823d573f5450ca6be80b36f54d1902ac7cd23fb9
 	https://git.kernel.org/stable/c/2eea5fda5556ef03defebf07b0a12fcd2c5210f4
 	https://git.kernel.org/stable/c/fd993b2180b4c373af8b99aa28d4dcda5c2a8f10
 	https://git.kernel.org/stable/c/22dcbf7661c6ffc3247978c254dc40b833a0d429
 	https://git.kernel.org/stable/c/ca84a2c9be482836b86d780244f0357e5a778c46
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56598: jfs: array-index-out-of-bounds fix in dtReadFirst

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	jfs: array-index-out-of-bounds fix in dtReadFirst

	The value of stbl can be sometimes out of bounds due
	to a bad filesystem. Added a check with appopriate return
	of error code in that case.

	The Linux kernel CVE team has assigned CVE-2024-56598 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.287 with commit 25f1e673ef61d6bf9a6022e27936785896d74948
	Fixed in 5.10.231 with commit 8c97a4d5463a1c972ef576ac499ea9b05f956097
	Fixed in 5.15.174 with commit 823d573f5450ca6be80b36f54d1902ac7cd23fb9
	Fixed in 6.1.120 with commit 2eea5fda5556ef03defebf07b0a12fcd2c5210f4
	Fixed in 6.6.66 with commit fd993b2180b4c373af8b99aa28d4dcda5c2a8f10
	Fixed in 6.12.5 with commit 22dcbf7661c6ffc3247978c254dc40b833a0d429
	Fixed in 6.13 with commit ca84a2c9be482836b86d780244f0357e5a778c46

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56598
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/jfs/jfs_dtree.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/25f1e673ef61d6bf9a6022e27936785896d74948
	https://git.kernel.org/stable/c/8c97a4d5463a1c972ef576ac499ea9b05f956097
	https://git.kernel.org/stable/c/823d573f5450ca6be80b36f54d1902ac7cd23fb9
	https://git.kernel.org/stable/c/2eea5fda5556ef03defebf07b0a12fcd2c5210f4
	https://git.kernel.org/stable/c/fd993b2180b4c373af8b99aa28d4dcda5c2a8f10
	https://git.kernel.org/stable/c/22dcbf7661c6ffc3247978c254dc40b833a0d429
	https://git.kernel.org/stable/c/ca84a2c9be482836b86d780244f0357e5a778c46