cve/published/2022/CVE-2022-49007.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49007: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()

 Syzbot reported a null-ptr-deref bug:

  NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP
  frequency < 30 seconds
  general protection fault, probably for non-canonical address
  0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
  KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
  CPU: 1 PID: 3603 Comm: segctord Not tainted
  6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google
  10/11/2022
  RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0
  fs/nilfs2/alloc.c:608
  Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00
  00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02
  00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7
  RSP: 0018:ffffc90003dff830 EFLAGS: 00010212
  RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d
  RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010
  RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f
  R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158
  R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004
  FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000)
  knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0
  Call Trace:
   <TASK>
   nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]
   nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193
   nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236
   nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940
   nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]
   nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]
   nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088
   nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337
   nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568
   nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018
   nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067
   nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]
   nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]
   nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045
   nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379
   nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]
   nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570
   kthread+0x2e4/0x3a0 kernel/kthread.c:376
   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
   </TASK>
  ...

 If DAT metadata file is corrupted on disk, there is a case where
 req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during
 a b-tree operation that cascadingly updates ancestor nodes of the b-tree,
 because nilfs_dat_commit_alloc() for a lower level block can initialize
 the blocknr on the same DAT entry between nilfs_dat_prepare_end() and
 nilfs_dat_commit_end().

 If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()
 without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and
 causes the NULL pointer dereference above in
 nilfs_palloc_commit_free_entry() function, which leads to a crash.

 Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh
 before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().

 This also calls nilfs_error() in that case to notify that there is a fatal
 flaw in the filesystem metadata and prevent further operations.

 The Linux kernel CVE team has assigned CVE-2022-49007 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.335 with commit 2f2c59506ae39496588ceb8b88bdbdbaed895d63
 	Fixed in 4.14.301 with commit 165c7a3b27a3857ebf57f626b9f38b48b6792e68
 	Fixed in 4.19.268 with commit bc3fd3293887b4cf84a9109700faeb82de533c89
 	Fixed in 5.4.226 with commit 9a130b72e6bd1fb07fc3cde839dc6fb53da76f07
 	Fixed in 5.10.158 with commit e858917ab785afe83c14f5ac141301216ccda847
 	Fixed in 5.15.82 with commit 33021419fd81efd3d729a7f19341ba4b98fe66ce
 	Fixed in 6.0.12 with commit 381b84f60e549ea98cec4666c6c728b1b3318756
 	Fixed in 6.1 with commit f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49007
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nilfs2/dat.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2f2c59506ae39496588ceb8b88bdbdbaed895d63
 	https://git.kernel.org/stable/c/165c7a3b27a3857ebf57f626b9f38b48b6792e68
 	https://git.kernel.org/stable/c/bc3fd3293887b4cf84a9109700faeb82de533c89
 	https://git.kernel.org/stable/c/9a130b72e6bd1fb07fc3cde839dc6fb53da76f07
 	https://git.kernel.org/stable/c/e858917ab785afe83c14f5ac141301216ccda847
 	https://git.kernel.org/stable/c/33021419fd81efd3d729a7f19341ba4b98fe66ce
 	https://git.kernel.org/stable/c/381b84f60e549ea98cec4666c6c728b1b3318756
 	https://git.kernel.org/stable/c/f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49007: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()

	Syzbot reported a null-ptr-deref bug:

	NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP
	frequency < 30 seconds
	general protection fault, probably for non-canonical address
	0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
	KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
	CPU: 1 PID: 3603 Comm: segctord Not tainted
	6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
	Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google
	10/11/2022
	RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0
	fs/nilfs2/alloc.c:608
	Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00
	00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02
	00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7
	RSP: 0018:ffffc90003dff830 EFLAGS: 00010212
	RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d
	RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010
	RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f
	R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158
	R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004
	FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000)
	knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0
	Call Trace:
	<TASK>
	nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]
	nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193
	nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236
	nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940
	nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]
	nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]
	nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088
	nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337
	nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568
	nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018
	nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067
	nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]
	nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]
	nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045
	nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379
	nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]
	nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570
	kthread+0x2e4/0x3a0 kernel/kthread.c:376
	ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
	</TASK>
	...

	If DAT metadata file is corrupted on disk, there is a case where
	req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during
	a b-tree operation that cascadingly updates ancestor nodes of the b-tree,
	because nilfs_dat_commit_alloc() for a lower level block can initialize
	the blocknr on the same DAT entry between nilfs_dat_prepare_end() and
	nilfs_dat_commit_end().

	If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()
	without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and
	causes the NULL pointer dereference above in
	nilfs_palloc_commit_free_entry() function, which leads to a crash.

	Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh
	before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().

	This also calls nilfs_error() in that case to notify that there is a fatal
	flaw in the filesystem metadata and prevent further operations.

	The Linux kernel CVE team has assigned CVE-2022-49007 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.335 with commit 2f2c59506ae39496588ceb8b88bdbdbaed895d63
	Fixed in 4.14.301 with commit 165c7a3b27a3857ebf57f626b9f38b48b6792e68
	Fixed in 4.19.268 with commit bc3fd3293887b4cf84a9109700faeb82de533c89
	Fixed in 5.4.226 with commit 9a130b72e6bd1fb07fc3cde839dc6fb53da76f07
	Fixed in 5.10.158 with commit e858917ab785afe83c14f5ac141301216ccda847
	Fixed in 5.15.82 with commit 33021419fd81efd3d729a7f19341ba4b98fe66ce
	Fixed in 6.0.12 with commit 381b84f60e549ea98cec4666c6c728b1b3318756
	Fixed in 6.1 with commit f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49007
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nilfs2/dat.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2f2c59506ae39496588ceb8b88bdbdbaed895d63
	https://git.kernel.org/stable/c/165c7a3b27a3857ebf57f626b9f38b48b6792e68
	https://git.kernel.org/stable/c/bc3fd3293887b4cf84a9109700faeb82de533c89
	https://git.kernel.org/stable/c/9a130b72e6bd1fb07fc3cde839dc6fb53da76f07
	https://git.kernel.org/stable/c/e858917ab785afe83c14f5ac141301216ccda847
	https://git.kernel.org/stable/c/33021419fd81efd3d729a7f19341ba4b98fe66ce
	https://git.kernel.org/stable/c/381b84f60e549ea98cec4666c6c728b1b3318756
	https://git.kernel.org/stable/c/f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4