cve/published/2023/CVE-2023-52848.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52848: f2fs: fix to drop meta_inode's page cache in f2fs_put_super()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to drop meta_inode's page cache in f2fs_put_super()

 syzbot reports a kernel bug as below:

 F2FS-fs (loop1): detect filesystem reference count leak during umount, type: 10, count: 1
 kernel BUG at fs/f2fs/super.c:1639!
 CPU: 0 PID: 15451 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-09338-ge0152e7481c6 #0
 RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639
 Call Trace:
  generic_shutdown_super+0x161/0x3c0 fs/super.c:693
  kill_block_super+0x3b/0x70 fs/super.c:1646
  kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879
  deactivate_locked_super+0x9a/0x170 fs/super.c:481
  deactivate_super+0xde/0x100 fs/super.c:514
  cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254
  task_work_run+0x14d/0x240 kernel/task_work.c:179
  resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
  exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
  exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
  __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
  syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
  do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
  entry_SYSCALL_64_after_hwframe+0x63/0xcd

 In f2fs_put_super(), it tries to do sanity check on dirty and IO
 reference count of f2fs, once there is any reference count leak,
 it will trigger panic.

 The root case is, during f2fs_put_super(), if there is any IO error
 in f2fs_wait_on_all_pages(), we missed to truncate meta_inode's page
 cache later, result in panic, fix this case.

 The Linux kernel CVE team has assigned CVE-2023-52848 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit 20872584b8c0b006c007da9588a272c9e28d2e18 and fixed in 6.5.12 with commit eb42e1862aa7934c2c21890097ce4993c5e0d192
 	Issue introduced in 6.5 with commit 20872584b8c0b006c007da9588a272c9e28d2e18 and fixed in 6.6.2 with commit 10b2a6c0dade67b5a2b2d17fb75c457ea1985fad
 	Issue introduced in 6.5 with commit 20872584b8c0b006c007da9588a272c9e28d2e18 and fixed in 6.7 with commit a4639380bbe66172df329f8b54aa7d2e943f0f64
 	Issue introduced in 6.4.16 with commit 0e2577074b459bba7f4016f4d725ede37d48bb22

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52848
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/super.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/eb42e1862aa7934c2c21890097ce4993c5e0d192
 	https://git.kernel.org/stable/c/10b2a6c0dade67b5a2b2d17fb75c457ea1985fad
 	https://git.kernel.org/stable/c/a4639380bbe66172df329f8b54aa7d2e943f0f64
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52848: f2fs: fix to drop meta_inode's page cache in f2fs_put_super()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to drop meta_inode's page cache in f2fs_put_super()

	syzbot reports a kernel bug as below:

	F2FS-fs (loop1): detect filesystem reference count leak during umount, type: 10, count: 1
	kernel BUG at fs/f2fs/super.c:1639!
	CPU: 0 PID: 15451 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-09338-ge0152e7481c6 #0
	RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639
	Call Trace:
	generic_shutdown_super+0x161/0x3c0 fs/super.c:693
	kill_block_super+0x3b/0x70 fs/super.c:1646
	kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879
	deactivate_locked_super+0x9a/0x170 fs/super.c:481
	deactivate_super+0xde/0x100 fs/super.c:514
	cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254
	task_work_run+0x14d/0x240 kernel/task_work.c:179
	resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
	exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
	exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
	__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
	syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
	do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
	entry_SYSCALL_64_after_hwframe+0x63/0xcd

	In f2fs_put_super(), it tries to do sanity check on dirty and IO
	reference count of f2fs, once there is any reference count leak,
	it will trigger panic.

	The root case is, during f2fs_put_super(), if there is any IO error
	in f2fs_wait_on_all_pages(), we missed to truncate meta_inode's page
	cache later, result in panic, fix this case.

	The Linux kernel CVE team has assigned CVE-2023-52848 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit 20872584b8c0b006c007da9588a272c9e28d2e18 and fixed in 6.5.12 with commit eb42e1862aa7934c2c21890097ce4993c5e0d192
	Issue introduced in 6.5 with commit 20872584b8c0b006c007da9588a272c9e28d2e18 and fixed in 6.6.2 with commit 10b2a6c0dade67b5a2b2d17fb75c457ea1985fad
	Issue introduced in 6.5 with commit 20872584b8c0b006c007da9588a272c9e28d2e18 and fixed in 6.7 with commit a4639380bbe66172df329f8b54aa7d2e943f0f64
	Issue introduced in 6.4.16 with commit 0e2577074b459bba7f4016f4d725ede37d48bb22

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52848
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/super.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/eb42e1862aa7934c2c21890097ce4993c5e0d192
	https://git.kernel.org/stable/c/10b2a6c0dade67b5a2b2d17fb75c457ea1985fad
	https://git.kernel.org/stable/c/a4639380bbe66172df329f8b54aa7d2e943f0f64