cve/published/2022/CVE-2022-48923.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48923: btrfs: prevent copying too big compressed lzo segment

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: prevent copying too big compressed lzo segment

 Compressed length can be corrupted to be a lot larger than memory
 we have allocated for buffer.
 This will cause memcpy in copy_compressed_segment to write outside
 of allocated memory.

 This mostly results in stuck read syscall but sometimes when using
 btrfs send can get #GP

   kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI
   kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P           OE     5.17.0-rc2-1 #12
   kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs]
   kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs
   Code starting with the faulting instruction
   ===========================================
      0:*  48 8b 06                mov    (%rsi),%rax              <-- trapping instruction
      3:   48 8d 79 08             lea    0x8(%rcx),%rdi
      7:   48 83 e7 f8             and    $0xfffffffffffffff8,%rdi
      b:   48 89 01                mov    %rax,(%rcx)
      e:   44 89 f0                mov    %r14d,%eax
     11:   48 8b 54 06 f8          mov    -0x8(%rsi,%rax,1),%rdx
   kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212
   kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8
   kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d
   kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000
   kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000
   kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000
   kernel: FS:  0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000
   kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0
   kernel: Call Trace:
   kernel:  <TASK>
   kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs
   kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs
   kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs
   kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)
   kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455)
   kernel: ? process_one_work (kernel/workqueue.c:2397)
   kernel: kthread (kernel/kthread.c:377)
   kernel: ? kthread_complete_and_exit (kernel/kthread.c:332)
   kernel: ret_from_fork (arch/x86/entry/entry_64.S:301)
   kernel:  </TASK>

 The Linux kernel CVE team has assigned CVE-2022-48923 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit a6e66e6f8c1b685e11b778bef614480a9c1a5278 and fixed in 5.15.26 with commit 8df508b7a44cd8110c726057cd28e8f8116885eb
 	Issue introduced in 5.15 with commit a6e66e6f8c1b685e11b778bef614480a9c1a5278 and fixed in 5.16.12 with commit e326bd06cdde46df952361456232022298281d16
 	Issue introduced in 5.15 with commit a6e66e6f8c1b685e11b778bef614480a9c1a5278 and fixed in 5.17 with commit 741b23a970a79d5d3a1db2d64fa2c7b375a4febb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48923
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/lzo.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8df508b7a44cd8110c726057cd28e8f8116885eb
 	https://git.kernel.org/stable/c/e326bd06cdde46df952361456232022298281d16
 	https://git.kernel.org/stable/c/741b23a970a79d5d3a1db2d64fa2c7b375a4febb
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48923: btrfs: prevent copying too big compressed lzo segment

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: prevent copying too big compressed lzo segment

	Compressed length can be corrupted to be a lot larger than memory
	we have allocated for buffer.
	This will cause memcpy in copy_compressed_segment to write outside
	of allocated memory.

	This mostly results in stuck read syscall but sometimes when using
	btrfs send can get #GP

	kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI
	kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12
	kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs]
	kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs
	Code starting with the faulting instruction
	===========================================
	0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction
	3: 48 8d 79 08 lea 0x8(%rcx),%rdi
	7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi
	b: 48 89 01 mov %rax,(%rcx)
	e: 44 89 f0 mov %r14d,%eax
	11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx
	kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212
	kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8
	kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d
	kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000
	kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000
	kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000
	kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000
	kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0
	kernel: Call Trace:
	kernel: <TASK>
	kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs
	kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs
	kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs
	kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)
	kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455)
	kernel: ? process_one_work (kernel/workqueue.c:2397)
	kernel: kthread (kernel/kthread.c:377)
	kernel: ? kthread_complete_and_exit (kernel/kthread.c:332)
	kernel: ret_from_fork (arch/x86/entry/entry_64.S:301)
	kernel: </TASK>

	The Linux kernel CVE team has assigned CVE-2022-48923 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit a6e66e6f8c1b685e11b778bef614480a9c1a5278 and fixed in 5.15.26 with commit 8df508b7a44cd8110c726057cd28e8f8116885eb
	Issue introduced in 5.15 with commit a6e66e6f8c1b685e11b778bef614480a9c1a5278 and fixed in 5.16.12 with commit e326bd06cdde46df952361456232022298281d16
	Issue introduced in 5.15 with commit a6e66e6f8c1b685e11b778bef614480a9c1a5278 and fixed in 5.17 with commit 741b23a970a79d5d3a1db2d64fa2c7b375a4febb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48923
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/lzo.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8df508b7a44cd8110c726057cd28e8f8116885eb
	https://git.kernel.org/stable/c/e326bd06cdde46df952361456232022298281d16
	https://git.kernel.org/stable/c/741b23a970a79d5d3a1db2d64fa2c7b375a4febb