cve/published/2023/CVE-2023-52786.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52786: ext4: fix racy may inline data check in dio write

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ext4: fix racy may inline data check in dio write

 syzbot reports that the following warning from ext4_iomap_begin()
 triggers as of the commit referenced below:

         if (WARN_ON_ONCE(ext4_has_inline_data(inode)))
                 return -ERANGE;

 This occurs during a dio write, which is never expected to encounter
 an inode with inline data. To enforce this behavior,
 ext4_dio_write_iter() checks the current inline state of the inode
 and clears the MAY_INLINE_DATA state flag to either fall back to
 buffered writes, or enforce that any other writers in progress on
 the inode are not allowed to create inline data.

 The problem is that the check for existing inline data and the state
 flag can span a lock cycle. For example, if the ilock is originally
 locked shared and subsequently upgraded to exclusive, another writer
 may have reacquired the lock and created inline data before the dio
 write task acquires the lock and proceeds.

 The commit referenced below loosens the lock requirements to allow
 some forms of unaligned dio writes to occur under shared lock, but
 AFAICT the inline data check was technically already racy for any
 dio write that would have involved a lock cycle. Regardless, lift
 clearing of the state bit to the same lock critical section that
 checks for preexisting inline data on the inode to close the race.

 The Linux kernel CVE team has assigned CVE-2023-52786 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit 310ee0902b8d9d0a13a5a13e94688a5863fa29c2 and fixed in 6.5.13 with commit e3b83d87c93eb6fc96a80b5e8527f7dc9f5a11bc
 	Issue introduced in 6.5 with commit 310ee0902b8d9d0a13a5a13e94688a5863fa29c2 and fixed in 6.6.3 with commit 7343c23ebcadbedc23a7063d1e24d976eccb0d0d
 	Issue introduced in 6.5 with commit 310ee0902b8d9d0a13a5a13e94688a5863fa29c2 and fixed in 6.7 with commit ce56d21355cd6f6937aca32f1f44ca749d1e4808

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52786
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ext4/file.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e3b83d87c93eb6fc96a80b5e8527f7dc9f5a11bc
 	https://git.kernel.org/stable/c/7343c23ebcadbedc23a7063d1e24d976eccb0d0d
 	https://git.kernel.org/stable/c/ce56d21355cd6f6937aca32f1f44ca749d1e4808
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52786: ext4: fix racy may inline data check in dio write

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ext4: fix racy may inline data check in dio write

	syzbot reports that the following warning from ext4_iomap_begin()
	triggers as of the commit referenced below:

	if (WARN_ON_ONCE(ext4_has_inline_data(inode)))
	return -ERANGE;

	This occurs during a dio write, which is never expected to encounter
	an inode with inline data. To enforce this behavior,
	ext4_dio_write_iter() checks the current inline state of the inode
	and clears the MAY_INLINE_DATA state flag to either fall back to
	buffered writes, or enforce that any other writers in progress on
	the inode are not allowed to create inline data.

	The problem is that the check for existing inline data and the state
	flag can span a lock cycle. For example, if the ilock is originally
	locked shared and subsequently upgraded to exclusive, another writer
	may have reacquired the lock and created inline data before the dio
	write task acquires the lock and proceeds.

	The commit referenced below loosens the lock requirements to allow
	some forms of unaligned dio writes to occur under shared lock, but
	AFAICT the inline data check was technically already racy for any
	dio write that would have involved a lock cycle. Regardless, lift
	clearing of the state bit to the same lock critical section that
	checks for preexisting inline data on the inode to close the race.

	The Linux kernel CVE team has assigned CVE-2023-52786 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit 310ee0902b8d9d0a13a5a13e94688a5863fa29c2 and fixed in 6.5.13 with commit e3b83d87c93eb6fc96a80b5e8527f7dc9f5a11bc
	Issue introduced in 6.5 with commit 310ee0902b8d9d0a13a5a13e94688a5863fa29c2 and fixed in 6.6.3 with commit 7343c23ebcadbedc23a7063d1e24d976eccb0d0d
	Issue introduced in 6.5 with commit 310ee0902b8d9d0a13a5a13e94688a5863fa29c2 and fixed in 6.7 with commit ce56d21355cd6f6937aca32f1f44ca749d1e4808

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52786
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ext4/file.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e3b83d87c93eb6fc96a80b5e8527f7dc9f5a11bc
	https://git.kernel.org/stable/c/7343c23ebcadbedc23a7063d1e24d976eccb0d0d
	https://git.kernel.org/stable/c/ce56d21355cd6f6937aca32f1f44ca749d1e4808