cve/published/2022/CVE-2022-49174.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49174: ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit

 In case of flex_bg feature (which is by default enabled), extents for
 any given inode might span across blocks from two different block group.
 ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the
 starting block group, but it fails to read it again when the extent length
 boundary overflows to another block group. Then in this below loop it
 accesses memory beyond the block group bitmap buffer_head and results
 into a data abort.

 	for (i = 0; i < clen; i++)
 		if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state)
 			already++;

 This patch adds this functionality for checking block group boundary in
 ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different
 block group.

 w/o this patch, I was easily able to hit a data access abort using Power platform.

 <...>
 [   74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters
 [   74.533214] EXT4-fs (loop3): shut down requested (2)
 [   74.536705] Aborting journal on device loop3-8.
 [   74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000
 [   74.703727] Faulting instruction address: 0xc0000000007bffb8
 cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060]
     pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0
     lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0
     sp: c000000015db7300
    msr: 800000000280b033
    dar: c00000005e980000
  dsisr: 40000000
   current = 0xc000000027af6880
   paca    = 0xc00000003ffd5200   irqmask: 0x03   irq_happened: 0x01
     pid   = 5167, comm = mount
 <...>
 enter ? for help
 [c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410
 [c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000
 [c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0
 [c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0
 [c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0
 [c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10
 [c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350
 [c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40
 [c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100
 [c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70
 [c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550
 [c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0
 [c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250

 The Linux kernel CVE team has assigned CVE-2022-49174 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.110 with commit cd6d719534af993210306f8a13f9cb3e615f7c8d
 	Fixed in 5.15.33 with commit 6a6beb074186a0452368a023a261c7d0eaebe838
 	Fixed in 5.16.19 with commit b07eedd0222e9548ffc568ec429bb1f61d21a39c
 	Fixed in 5.17.2 with commit 803fb0e8240cc16585a5c9df76add1dfaa781773
 	Fixed in 5.18 with commit bfdc502a4a4c058bf4cbb1df0c297761d528f54d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49174
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ext4/mballoc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/cd6d719534af993210306f8a13f9cb3e615f7c8d
 	https://git.kernel.org/stable/c/6a6beb074186a0452368a023a261c7d0eaebe838
 	https://git.kernel.org/stable/c/b07eedd0222e9548ffc568ec429bb1f61d21a39c
 	https://git.kernel.org/stable/c/803fb0e8240cc16585a5c9df76add1dfaa781773
 	https://git.kernel.org/stable/c/bfdc502a4a4c058bf4cbb1df0c297761d528f54d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49174: ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit

	In case of flex_bg feature (which is by default enabled), extents for
	any given inode might span across blocks from two different block group.
	ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the
	starting block group, but it fails to read it again when the extent length
	boundary overflows to another block group. Then in this below loop it
	accesses memory beyond the block group bitmap buffer_head and results
	into a data abort.

	for (i = 0; i < clen; i++)
	if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state)
	already++;

	This patch adds this functionality for checking block group boundary in
	ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different
	block group.

	w/o this patch, I was easily able to hit a data access abort using Power platform.

	<...>
	[ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters
	[ 74.533214] EXT4-fs (loop3): shut down requested (2)
	[ 74.536705] Aborting journal on device loop3-8.
	[ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000
	[ 74.703727] Faulting instruction address: 0xc0000000007bffb8
	cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060]
	pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0
	lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0
	sp: c000000015db7300
	msr: 800000000280b033
	dar: c00000005e980000
	dsisr: 40000000
	current = 0xc000000027af6880
	paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01
	pid = 5167, comm = mount
	<...>
	enter ? for help
	[c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410
	[c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000
	[c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0
	[c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0
	[c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0
	[c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10
	[c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350
	[c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40
	[c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100
	[c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70
	[c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550
	[c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0
	[c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250

	The Linux kernel CVE team has assigned CVE-2022-49174 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.110 with commit cd6d719534af993210306f8a13f9cb3e615f7c8d
	Fixed in 5.15.33 with commit 6a6beb074186a0452368a023a261c7d0eaebe838
	Fixed in 5.16.19 with commit b07eedd0222e9548ffc568ec429bb1f61d21a39c
	Fixed in 5.17.2 with commit 803fb0e8240cc16585a5c9df76add1dfaa781773
	Fixed in 5.18 with commit bfdc502a4a4c058bf4cbb1df0c297761d528f54d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49174
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ext4/mballoc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/cd6d719534af993210306f8a13f9cb3e615f7c8d
	https://git.kernel.org/stable/c/6a6beb074186a0452368a023a261c7d0eaebe838
	https://git.kernel.org/stable/c/b07eedd0222e9548ffc568ec429bb1f61d21a39c
	https://git.kernel.org/stable/c/803fb0e8240cc16585a5c9df76add1dfaa781773
	https://git.kernel.org/stable/c/bfdc502a4a4c058bf4cbb1df0c297761d528f54d