cve/published/2022/CVE-2022-49428.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49428: f2fs: fix to do sanity check on inline_dots inode

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to do sanity check on inline_dots inode

 As Wenqing reported in bugzilla:

 https://bugzilla.kernel.org/show_bug.cgi?id=215765

 It will cause a kernel panic with steps:
 - mkdir mnt
 - mount tmp40.img mnt
 - ls mnt

 folio_mark_dirty+0x33/0x50
 f2fs_add_regular_entry+0x541/0xad0 [f2fs]
 f2fs_add_dentry+0x6c/0xb0 [f2fs]
 f2fs_do_add_link+0x182/0x230 [f2fs]
 __recover_dot_dentries+0x2d6/0x470 [f2fs]
 f2fs_lookup+0x5af/0x6a0 [f2fs]
 __lookup_slow+0xac/0x200
 lookup_slow+0x45/0x70
 walk_component+0x16c/0x250
 path_lookupat+0x8b/0x1f0
 filename_lookup+0xef/0x250
 user_path_at_empty+0x46/0x70
 vfs_statx+0x98/0x190
 __do_sys_newlstat+0x41/0x90
 __x64_sys_newlstat+0x1a/0x30
 do_syscall_64+0x37/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae

 The root cause is for special file: e.g. character, block, fifo or
 socket file, f2fs doesn't assign address space operations pointer array
 for mapping->a_ops field, so, in a fuzzed image, if inline_dots flag was
 tagged in special file, during lookup(), when f2fs runs into
 __recover_dot_dentries(), it will cause NULL pointer access once
 f2fs_add_regular_entry() calls a_ops->set_dirty_page().

 The Linux kernel CVE team has assigned CVE-2022-49428 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.15.46 with commit 250e5a6be52a6b9d82fe91976c83cc158868b4e9
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.17.14 with commit 34f48ce5d5936eea33e3b6415403e57eb84aff97
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.18.3 with commit 2f46160d0a19b13bfe96c0dd50eed5c5d253ab7a
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.19 with commit 12662d19467b391b5b509ac5e9ab4f583c6dde16

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49428
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/namei.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/250e5a6be52a6b9d82fe91976c83cc158868b4e9
 	https://git.kernel.org/stable/c/34f48ce5d5936eea33e3b6415403e57eb84aff97
 	https://git.kernel.org/stable/c/2f46160d0a19b13bfe96c0dd50eed5c5d253ab7a
 	https://git.kernel.org/stable/c/12662d19467b391b5b509ac5e9ab4f583c6dde16
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49428: f2fs: fix to do sanity check on inline_dots inode

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to do sanity check on inline_dots inode

	As Wenqing reported in bugzilla:

	https://bugzilla.kernel.org/show_bug.cgi?id=215765

	It will cause a kernel panic with steps:
	- mkdir mnt
	- mount tmp40.img mnt
	- ls mnt

	folio_mark_dirty+0x33/0x50
	f2fs_add_regular_entry+0x541/0xad0 [f2fs]
	f2fs_add_dentry+0x6c/0xb0 [f2fs]
	f2fs_do_add_link+0x182/0x230 [f2fs]
	__recover_dot_dentries+0x2d6/0x470 [f2fs]
	f2fs_lookup+0x5af/0x6a0 [f2fs]
	__lookup_slow+0xac/0x200
	lookup_slow+0x45/0x70
	walk_component+0x16c/0x250
	path_lookupat+0x8b/0x1f0
	filename_lookup+0xef/0x250
	user_path_at_empty+0x46/0x70
	vfs_statx+0x98/0x190
	__do_sys_newlstat+0x41/0x90
	__x64_sys_newlstat+0x1a/0x30
	do_syscall_64+0x37/0xb0
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	The root cause is for special file: e.g. character, block, fifo or
	socket file, f2fs doesn't assign address space operations pointer array
	for mapping->a_ops field, so, in a fuzzed image, if inline_dots flag was
	tagged in special file, during lookup(), when f2fs runs into
	__recover_dot_dentries(), it will cause NULL pointer access once
	f2fs_add_regular_entry() calls a_ops->set_dirty_page().

	The Linux kernel CVE team has assigned CVE-2022-49428 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.15.46 with commit 250e5a6be52a6b9d82fe91976c83cc158868b4e9
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.17.14 with commit 34f48ce5d5936eea33e3b6415403e57eb84aff97
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.18.3 with commit 2f46160d0a19b13bfe96c0dd50eed5c5d253ab7a
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.19 with commit 12662d19467b391b5b509ac5e9ab4f583c6dde16

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49428
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/namei.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/250e5a6be52a6b9d82fe91976c83cc158868b4e9
	https://git.kernel.org/stable/c/34f48ce5d5936eea33e3b6415403e57eb84aff97
	https://git.kernel.org/stable/c/2f46160d0a19b13bfe96c0dd50eed5c5d253ab7a
	https://git.kernel.org/stable/c/12662d19467b391b5b509ac5e9ab4f583c6dde16