| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52705: nilfs2: fix underflow in second superblock position calculations |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| nilfs2: fix underflow in second superblock position calculations |
| |
| Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second |
| superblock, underflows when the argument device size is less than 4096 |
| bytes. Therefore, when using this macro, it is necessary to check in |
| advance that the device size is not less than a lower limit, or at least |
| that underflow does not occur. |
| |
| The current nilfs2 implementation lacks this check, causing out-of-bound |
| block access when mounting devices smaller than 4096 bytes: |
| |
| I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0 |
| phys_seg 1 prio class 2 |
| NILFS (loop0): unable to read secondary superblock (blocksize = 1024) |
| |
| In addition, when trying to resize the filesystem to a size below 4096 |
| bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number |
| of segments to nilfs_sufile_resize(), corrupting parameters such as the |
| number of segments in superblocks. This causes excessive loop iterations |
| in nilfs_sufile_resize() during a subsequent resize ioctl, causing |
| semaphore ns_segctor_sem to block for a long time and hang the writer |
| thread: |
| |
| INFO: task segctord:5067 blocked for more than 143 seconds. |
| Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 |
| "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. |
| task:segctord state:D stack:23456 pid:5067 ppid:2 |
| flags:0x00004000 |
| Call Trace: |
| <TASK> |
| context_switch kernel/sched/core.c:5293 [inline] |
| __schedule+0x1409/0x43f0 kernel/sched/core.c:6606 |
| schedule+0xc3/0x190 kernel/sched/core.c:6682 |
| rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190 |
| nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357 |
| nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline] |
| nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570 |
| kthread+0x270/0x300 kernel/kthread.c:376 |
| ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 |
| </TASK> |
| ... |
| Call Trace: |
| <TASK> |
| folio_mark_accessed+0x51c/0xf00 mm/swap.c:515 |
| __nilfs_get_page_block fs/nilfs2/page.c:42 [inline] |
| nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61 |
| nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121 |
| nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176 |
| nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251 |
| nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline] |
| nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline] |
| nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777 |
| nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 |
| nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline] |
| nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301 |
| ... |
| |
| This fixes these issues by inserting appropriate minimum device size |
| checks or anti-underflow checks, depending on where the macro is used. |
| |
| The Linux kernel CVE team has assigned CVE-2023-52705 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.14.306 with commit 2f7a1135b202977b82457adde7db6c390056863b |
| Fixed in 4.19.273 with commit b96591e2c35c8b47db0ec816b5fc6cb8868000ff |
| Fixed in 5.4.232 with commit 52844d8382cd9166d708032def8905ffc3ae550f |
| Fixed in 5.10.169 with commit 0ee5ed0126a2211f7174492da2ca2c29f43755c5 |
| Fixed in 5.15.95 with commit a158782b56b070485d54d25fc9aaf2c8f3752205 |
| Fixed in 6.1.13 with commit a8ef5109f93cea9933bbac0455d8c18757b3fcb4 |
| Fixed in 6.2 with commit 99b9402a36f0799f25feee4465bfa4b8dfa74b4d |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52705 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/nilfs2/ioctl.c |
| fs/nilfs2/super.c |
| fs/nilfs2/the_nilfs.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b |
| https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff |
| https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f |
| https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5 |
| https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205 |
| https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4 |
| https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d |
