cve/published/2023/CVE-2023-52770.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52770: f2fs: split initial and dynamic conditions for extent_cache

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: split initial and dynamic conditions for extent_cache

 Let's allocate the extent_cache tree without dynamic conditions to avoid a
 missing condition causing a panic as below.

  # create a file w/ a compressed flag
  # disable the compression
  # panic while updating extent_cache

 F2FS-fs (dm-64): Swapfile: last extent is not aligned to section
 F2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N)
 Adding 124996k swap on ./swap-file.  Priority:0 extents:2 across:17179494468k
 ==================================================================
 BUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]
 BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]
 BUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]
 BUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]
 BUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295
 Write of size 4 at addr 0000000000000030 by task syz-executor154/3327

 CPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G           O      5.10.185 #1
 Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023
 Call Trace:
  __dump_stack out/common/lib/dump_stack.c:77 [inline]
  dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118
  __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415
  kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428
  kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186
  __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37
  instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]
  atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]
  queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]
  __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]
  _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295
  __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155
  f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172
  f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline]
  f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764
  vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310
  ksys_fallocate out/common/fs/open.c:333 [inline]
  __do_sys_fallocate out/common/fs/open.c:341 [inline]
  __se_sys_fallocate out/common/fs/open.c:339 [inline]
  __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339
  do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46

 The Linux kernel CVE team has assigned CVE-2023-52770 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.2 with commit 72840cccc0a1a0a0dc1bb27b669a9111be6d0f6a and fixed in 6.5.13 with commit 9de787139b0258a5dd1f498780c26d76b61d2958
 	Issue introduced in 6.2 with commit 72840cccc0a1a0a0dc1bb27b669a9111be6d0f6a and fixed in 6.6.3 with commit d83309e7e006cee8afca83523559017c824fbf7a
 	Issue introduced in 6.2 with commit 72840cccc0a1a0a0dc1bb27b669a9111be6d0f6a and fixed in 6.7 with commit f803982190f0265fd36cf84670aa6daefc2b0768
 	Issue introduced in 6.1.29 with commit 4377b1d3b19e1369d094a94596211a9815ddbb04

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52770
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/extent_cache.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9de787139b0258a5dd1f498780c26d76b61d2958
 	https://git.kernel.org/stable/c/d83309e7e006cee8afca83523559017c824fbf7a
 	https://git.kernel.org/stable/c/f803982190f0265fd36cf84670aa6daefc2b0768
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52770: f2fs: split initial and dynamic conditions for extent_cache

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: split initial and dynamic conditions for extent_cache

	Let's allocate the extent_cache tree without dynamic conditions to avoid a
	missing condition causing a panic as below.

	# create a file w/ a compressed flag
	# disable the compression
	# panic while updating extent_cache

	F2FS-fs (dm-64): Swapfile: last extent is not aligned to section
	F2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N)
	Adding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k
	==================================================================
	BUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]
	BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]
	BUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]
	BUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]
	BUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295
	Write of size 4 at addr 0000000000000030 by task syz-executor154/3327

	CPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1
	Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023
	Call Trace:
	__dump_stack out/common/lib/dump_stack.c:77 [inline]
	dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118
	__kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415
	kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428
	kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186
	__kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37
	instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]
	atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]
	queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]
	__raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]
	_raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295
	__drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155
	f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172
	f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline]
	f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764
	vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310
	ksys_fallocate out/common/fs/open.c:333 [inline]
	__do_sys_fallocate out/common/fs/open.c:341 [inline]
	__se_sys_fallocate out/common/fs/open.c:339 [inline]
	__x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339
	do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46

	The Linux kernel CVE team has assigned CVE-2023-52770 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.2 with commit 72840cccc0a1a0a0dc1bb27b669a9111be6d0f6a and fixed in 6.5.13 with commit 9de787139b0258a5dd1f498780c26d76b61d2958
	Issue introduced in 6.2 with commit 72840cccc0a1a0a0dc1bb27b669a9111be6d0f6a and fixed in 6.6.3 with commit d83309e7e006cee8afca83523559017c824fbf7a
	Issue introduced in 6.2 with commit 72840cccc0a1a0a0dc1bb27b669a9111be6d0f6a and fixed in 6.7 with commit f803982190f0265fd36cf84670aa6daefc2b0768
	Issue introduced in 6.1.29 with commit 4377b1d3b19e1369d094a94596211a9815ddbb04

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52770
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/extent_cache.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9de787139b0258a5dd1f498780c26d76b61d2958
	https://git.kernel.org/stable/c/d83309e7e006cee8afca83523559017c824fbf7a
	https://git.kernel.org/stable/c/f803982190f0265fd36cf84670aa6daefc2b0768