cve/published/2024/CVE-2024-56692.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56692: f2fs: fix to do sanity check on node blkaddr in truncate_node()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to do sanity check on node blkaddr in truncate_node()

 syzbot reports a f2fs bug as below:

 ------------[ cut here ]------------
 kernel BUG at fs/f2fs/segment.c:2534!
 RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534
 Call Trace:
  truncate_node+0x1ae/0x8c0 fs/f2fs/node.c:909
  f2fs_remove_inode_page+0x5c2/0x870 fs/f2fs/node.c:1288
  f2fs_evict_inode+0x879/0x15c0 fs/f2fs/inode.c:856
  evict+0x4e8/0x9b0 fs/inode.c:723
  f2fs_handle_failed_inode+0x271/0x2e0 fs/f2fs/inode.c:986
  f2fs_create+0x357/0x530 fs/f2fs/namei.c:394
  lookup_open fs/namei.c:3595 [inline]
  open_last_lookups fs/namei.c:3694 [inline]
  path_openat+0x1c03/0x3590 fs/namei.c:3930
  do_filp_open+0x235/0x490 fs/namei.c:3960
  do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
  do_sys_open fs/open.c:1430 [inline]
  __do_sys_openat fs/open.c:1446 [inline]
  __se_sys_openat fs/open.c:1441 [inline]
  __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534

 The root cause is: on a fuzzed image, blkaddr in nat entry may be
 corrupted, then it will cause system panic when using it in
 f2fs_invalidate_blocks(), to avoid this, let's add sanity check on
 nat blkaddr in truncate_node().

 The Linux kernel CVE team has assigned CVE-2024-56692 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.64 with commit 27d6e7eff07f8cce8e83b162d8f21a07458c860d
 	Fixed in 6.11.11 with commit c1077078ce4589b5e5387f6b0aaa0d4534b9eb57
 	Fixed in 6.12.2 with commit 0a5c8b3fbf6200f1c66062d307c9a52084917788
 	Fixed in 6.13 with commit 6babe00ccd34fc65b78ef8b99754e32b4385f23d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56692
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/node.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/27d6e7eff07f8cce8e83b162d8f21a07458c860d
 	https://git.kernel.org/stable/c/c1077078ce4589b5e5387f6b0aaa0d4534b9eb57
 	https://git.kernel.org/stable/c/0a5c8b3fbf6200f1c66062d307c9a52084917788
 	https://git.kernel.org/stable/c/6babe00ccd34fc65b78ef8b99754e32b4385f23d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56692: f2fs: fix to do sanity check on node blkaddr in truncate_node()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to do sanity check on node blkaddr in truncate_node()

	syzbot reports a f2fs bug as below:

	------------[ cut here ]------------
	kernel BUG at fs/f2fs/segment.c:2534!
	RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534
	Call Trace:
	truncate_node+0x1ae/0x8c0 fs/f2fs/node.c:909
	f2fs_remove_inode_page+0x5c2/0x870 fs/f2fs/node.c:1288
	f2fs_evict_inode+0x879/0x15c0 fs/f2fs/inode.c:856
	evict+0x4e8/0x9b0 fs/inode.c:723
	f2fs_handle_failed_inode+0x271/0x2e0 fs/f2fs/inode.c:986
	f2fs_create+0x357/0x530 fs/f2fs/namei.c:394
	lookup_open fs/namei.c:3595 [inline]
	open_last_lookups fs/namei.c:3694 [inline]
	path_openat+0x1c03/0x3590 fs/namei.c:3930
	do_filp_open+0x235/0x490 fs/namei.c:3960
	do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
	do_sys_open fs/open.c:1430 [inline]
	__do_sys_openat fs/open.c:1446 [inline]
	__se_sys_openat fs/open.c:1441 [inline]
	__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534

	The root cause is: on a fuzzed image, blkaddr in nat entry may be
	corrupted, then it will cause system panic when using it in
	f2fs_invalidate_blocks(), to avoid this, let's add sanity check on
	nat blkaddr in truncate_node().

	The Linux kernel CVE team has assigned CVE-2024-56692 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.64 with commit 27d6e7eff07f8cce8e83b162d8f21a07458c860d
	Fixed in 6.11.11 with commit c1077078ce4589b5e5387f6b0aaa0d4534b9eb57
	Fixed in 6.12.2 with commit 0a5c8b3fbf6200f1c66062d307c9a52084917788
	Fixed in 6.13 with commit 6babe00ccd34fc65b78ef8b99754e32b4385f23d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56692
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/node.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/27d6e7eff07f8cce8e83b162d8f21a07458c860d
	https://git.kernel.org/stable/c/c1077078ce4589b5e5387f6b0aaa0d4534b9eb57
	https://git.kernel.org/stable/c/0a5c8b3fbf6200f1c66062d307c9a52084917788
	https://git.kernel.org/stable/c/6babe00ccd34fc65b78ef8b99754e32b4385f23d