cve/published/2024/CVE-2024-57952.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57952: Revert "libfs: fix infinite directory reads for offset dir"

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Revert "libfs: fix infinite directory reads for offset dir"

 The current directory offset allocator (based on mtree_alloc_cyclic)
 stores the next offset value to return in octx->next_offset. This
 mechanism typically returns values that increase monotonically over
 time. Eventually, though, the newly allocated offset value wraps
 back to a low number (say, 2) which is smaller than other already-
 allocated offset values.

 Yu Kuai <yukuai3@huawei.com> reports that, after commit 64a7ce76fb90
 ("libfs: fix infinite directory reads for offset dir"), if a
 directory's offset allocator wraps, existing entries are no longer
 visible via readdir/getdents because offset_readdir() stops listing
 entries once an entry's offset is larger than octx->next_offset.
 These entries vanish persistently -- they can be looked up, but will
 never again appear in readdir(3) output.

 The reason for this is that the commit treats directory offsets as
 monotonically increasing integer values rather than opaque cookies,
 and introduces this comparison:

 	if (dentry2offset(dentry) >= last_index) {

 On 64-bit platforms, the directory offset value upper bound is
 2^63 - 1. Directory offsets will monotonically increase for millions
 of years without wrapping.

 On 32-bit platforms, however, LONG_MAX is 2^31 - 1. The allocator
 can wrap after only a few weeks (at worst).

 Revert commit 64a7ce76fb90 ("libfs: fix infinite directory reads for
 offset dir") to prepare for a fix that can work properly on 32-bit
 systems and might apply to recent LTS kernels where shmem employs
 the simple_offset mechanism.

 The Linux kernel CVE team has assigned CVE-2024-57952 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a and fixed in 6.12.12 with commit 9e9e710f68bac49bd9b587823c077d06363440e0
 	Issue introduced in 6.11 with commit 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a and fixed in 6.13.1 with commit 3f250b82040a72b0059ae00855a74d8570ad2147
 	Issue introduced in 6.11 with commit 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a and fixed in 6.14 with commit b662d858131da9a8a14e68661656989b14dbf113
 	Issue introduced in 6.10.7 with commit 308b4fc2403b335894592ee9dc212a5e58bb309f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57952
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/libfs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9e9e710f68bac49bd9b587823c077d06363440e0
 	https://git.kernel.org/stable/c/3f250b82040a72b0059ae00855a74d8570ad2147
 	https://git.kernel.org/stable/c/b662d858131da9a8a14e68661656989b14dbf113
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57952: Revert "libfs: fix infinite directory reads for offset dir"

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Revert "libfs: fix infinite directory reads for offset dir"

	The current directory offset allocator (based on mtree_alloc_cyclic)
	stores the next offset value to return in octx->next_offset. This
	mechanism typically returns values that increase monotonically over
	time. Eventually, though, the newly allocated offset value wraps
	back to a low number (say, 2) which is smaller than other already-
	allocated offset values.

	Yu Kuai <yukuai3@huawei.com> reports that, after commit 64a7ce76fb90
	("libfs: fix infinite directory reads for offset dir"), if a
	directory's offset allocator wraps, existing entries are no longer
	visible via readdir/getdents because offset_readdir() stops listing
	entries once an entry's offset is larger than octx->next_offset.
	These entries vanish persistently -- they can be looked up, but will
	never again appear in readdir(3) output.

	The reason for this is that the commit treats directory offsets as
	monotonically increasing integer values rather than opaque cookies,
	and introduces this comparison:

	if (dentry2offset(dentry) >= last_index) {

	On 64-bit platforms, the directory offset value upper bound is
	2^63 - 1. Directory offsets will monotonically increase for millions
	of years without wrapping.

	On 32-bit platforms, however, LONG_MAX is 2^31 - 1. The allocator
	can wrap after only a few weeks (at worst).

	Revert commit 64a7ce76fb90 ("libfs: fix infinite directory reads for
	offset dir") to prepare for a fix that can work properly on 32-bit
	systems and might apply to recent LTS kernels where shmem employs
	the simple_offset mechanism.

	The Linux kernel CVE team has assigned CVE-2024-57952 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a and fixed in 6.12.12 with commit 9e9e710f68bac49bd9b587823c077d06363440e0
	Issue introduced in 6.11 with commit 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a and fixed in 6.13.1 with commit 3f250b82040a72b0059ae00855a74d8570ad2147
	Issue introduced in 6.11 with commit 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a and fixed in 6.14 with commit b662d858131da9a8a14e68661656989b14dbf113
	Issue introduced in 6.10.7 with commit 308b4fc2403b335894592ee9dc212a5e58bb309f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57952
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/libfs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9e9e710f68bac49bd9b587823c077d06363440e0
	https://git.kernel.org/stable/c/3f250b82040a72b0059ae00855a74d8570ad2147
	https://git.kernel.org/stable/c/b662d858131da9a8a14e68661656989b14dbf113