cve/published/2022/CVE-2022-49738.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49738: f2fs: fix to do sanity check on i_extra_isize in is_alive()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to do sanity check on i_extra_isize in is_alive()

 syzbot found a f2fs bug:

 BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline]
 BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline]
 BUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline]
 BUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734
 Read of size 4 at addr ffff888076557568 by task kworker/u4:3/52

 CPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
 Workqueue: writeback wb_workfn (flush-7:0)
 Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15e/0x45d mm/kasan/report.c:395
 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
 data_blkaddr fs/f2fs/f2fs.h:2891 [inline]
 is_alive fs/f2fs/gc.c:1117 [inline]
 gc_data_segment fs/f2fs/gc.c:1520 [inline]
 do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734
 f2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831
 f2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410
 f2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753
 write_inode fs/fs-writeback.c:1440 [inline]
 __writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652
 writeback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870
 wb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044
 wb_do_writeback fs/fs-writeback.c:2187 [inline]
 wb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

 The root cause is that we forgot to do sanity check on .i_extra_isize
 in below path, result in accessing invalid address later, fix it.
 - gc_data_segment
  - is_alive
   - data_blkaddr
    - offset_in_addr

 The Linux kernel CVE team has assigned CVE-2022-49738 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.232 with commit e5142a4935c1f15841d06047b8130078fc4d7b8f
 	Fixed in 5.10.168 with commit 914e38f02a490dafd980ff0f39cccedc074deb29
 	Fixed in 5.15.93 with commit 97ccfffcc061e54ce87e4a51a40e2e9cb0b7076a
 	Fixed in 6.1.11 with commit 5b25035fb888cb2f78bf0b9c9f95b1dc54480d36
 	Fixed in 6.2 with commit d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49738
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/gc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e5142a4935c1f15841d06047b8130078fc4d7b8f
 	https://git.kernel.org/stable/c/914e38f02a490dafd980ff0f39cccedc074deb29
 	https://git.kernel.org/stable/c/97ccfffcc061e54ce87e4a51a40e2e9cb0b7076a
 	https://git.kernel.org/stable/c/5b25035fb888cb2f78bf0b9c9f95b1dc54480d36
 	https://git.kernel.org/stable/c/d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49738: f2fs: fix to do sanity check on i_extra_isize in is_alive()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to do sanity check on i_extra_isize in is_alive()

	syzbot found a f2fs bug:

	BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline]
	BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline]
	BUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline]
	BUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734
	Read of size 4 at addr ffff888076557568 by task kworker/u4:3/52

	CPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
	Workqueue: writeback wb_workfn (flush-7:0)
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	print_address_description mm/kasan/report.c:284 [inline]
	print_report+0x15e/0x45d mm/kasan/report.c:395
	kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
	data_blkaddr fs/f2fs/f2fs.h:2891 [inline]
	is_alive fs/f2fs/gc.c:1117 [inline]
	gc_data_segment fs/f2fs/gc.c:1520 [inline]
	do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734
	f2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831
	f2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410
	f2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753
	write_inode fs/fs-writeback.c:1440 [inline]
	__writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652
	writeback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870
	wb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044
	wb_do_writeback fs/fs-writeback.c:2187 [inline]
	wb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227
	process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
	worker_thread+0x665/0x1080 kernel/workqueue.c:2436
	kthread+0x2e4/0x3a0 kernel/kthread.c:376
	ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

	The root cause is that we forgot to do sanity check on .i_extra_isize
	in below path, result in accessing invalid address later, fix it.
	- gc_data_segment
	- is_alive
	- data_blkaddr
	- offset_in_addr

	The Linux kernel CVE team has assigned CVE-2022-49738 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.232 with commit e5142a4935c1f15841d06047b8130078fc4d7b8f
	Fixed in 5.10.168 with commit 914e38f02a490dafd980ff0f39cccedc074deb29
	Fixed in 5.15.93 with commit 97ccfffcc061e54ce87e4a51a40e2e9cb0b7076a
	Fixed in 6.1.11 with commit 5b25035fb888cb2f78bf0b9c9f95b1dc54480d36
	Fixed in 6.2 with commit d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49738
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/gc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e5142a4935c1f15841d06047b8130078fc4d7b8f
	https://git.kernel.org/stable/c/914e38f02a490dafd980ff0f39cccedc074deb29
	https://git.kernel.org/stable/c/97ccfffcc061e54ce87e4a51a40e2e9cb0b7076a
	https://git.kernel.org/stable/c/5b25035fb888cb2f78bf0b9c9f95b1dc54480d36
	https://git.kernel.org/stable/c/d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c