cve/published/2023/CVE-2023-52933.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52933: Squashfs: fix handling and sanity checking of xattr_ids count

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Squashfs: fix handling and sanity checking of xattr_ids count

 A Sysbot [1] corrupted filesystem exposes two flaws in the handling and
 sanity checking of the xattr_ids count in the filesystem.  Both of these
 flaws cause computation overflow due to incorrect typing.

 In the corrupted filesystem the xattr_ids value is 4294967071, which
 stored in a signed variable becomes the negative number -225.

 Flaw 1 (64-bit systems only):

 The signed integer xattr_ids variable causes sign extension.

 This causes variable overflow in the SQUASHFS_XATTR_*(A) macros.  The
 variable is first multiplied by sizeof(struct squashfs_xattr_id) where the
 type of the sizeof operator is "unsigned long".

 On a 64-bit system this is 64-bits in size, and causes the negative number
 to be sign extended and widened to 64-bits and then become unsigned.  This
 produces the very large number 18446744073709548016 or 2^64 - 3600.  This
 number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and
 divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0
 (stored in len).

 Flaw 2 (32-bit systems only):

 On a 32-bit system the integer variable is not widened by the unsigned
 long type of the sizeof operator (32-bits), and the signedness of the
 variable has no effect due it always being treated as unsigned.

 The above corrupted xattr_ids value of 4294967071, when multiplied
 overflows and produces the number 4294963696 or 2^32 - 3400.  This number
 when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by
 SQUASHFS_METADATA_SIZE overflows again and produces a length of 0.

 The effect of the 0 length computation:

 In conjunction with the corrupted xattr_ids field, the filesystem also has
 a corrupted xattr_table_start value, where it matches the end of
 filesystem value of 850.

 This causes the following sanity check code to fail because the
 incorrectly computed len of 0 matches the incorrect size of the table
 reported by the superblock (0 bytes).

     len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
     indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);

     /*
      * The computed size of the index table (len bytes) should exactly
      * match the table start and end points
     */
     start = table_start + sizeof(*id_table);
     end = msblk->bytes_used;

     if (len != (end - start))
             return ERR_PTR(-EINVAL);

 Changing the xattr_ids variable to be "usigned int" fixes the flaw on a
 64-bit system.  This relies on the fact the computation is widened by the
 unsigned long type of the sizeof operator.

 Casting the variable to u64 in the above macro fixes this flaw on a 32-bit
 system.

 It also means 64-bit systems do not implicitly rely on the type of the
 sizeof operator to widen the computation.

 [1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/

 The Linux kernel CVE team has assigned CVE-2023-52933 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14.222 with commit ff49cace7b8cf00d27665f7536a863d406963d06 and fixed in 4.14.306 with commit 7fe583c9bec10cd4b76231c51b37f3e4ca646e01
 	Issue introduced in 4.19.176 with commit a8717b34003f4f7353b23826617ad872f85d85d8 and fixed in 4.19.273 with commit b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2
 	Issue introduced in 5.4.98 with commit 3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad and fixed in 5.4.232 with commit 1369322c1de52c7b9b988b95c9903110a4566778
 	Issue introduced in 5.10.16 with commit bddcce15cd1fb9675ddd46a76d8fe2d0a571313b and fixed in 5.10.168 with commit 5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e
 	Issue introduced in 5.11 with commit 506220d2ba21791314af569211ffd8870b8208fa and fixed in 5.15.93 with commit 997bed0f3cde78a3e639d624985bf4a95cf767e6
 	Issue introduced in 5.11 with commit 506220d2ba21791314af569211ffd8870b8208fa and fixed in 6.1.11 with commit a7da7d01ac5ce9b369a1ac70e1197999cc6c9686
 	Issue introduced in 5.11 with commit 506220d2ba21791314af569211ffd8870b8208fa and fixed in 6.2 with commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc
 	Issue introduced in 4.4.258 with commit 91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b
 	Issue introduced in 4.9.258 with commit eca93bf20f70e0f78c8c28720951942f61a49117

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52933
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/squashfs/squashfs_fs.h
 	fs/squashfs/squashfs_fs_sb.h
 	fs/squashfs/xattr.h
 	fs/squashfs/xattr_id.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7fe583c9bec10cd4b76231c51b37f3e4ca646e01
 	https://git.kernel.org/stable/c/b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2
 	https://git.kernel.org/stable/c/1369322c1de52c7b9b988b95c9903110a4566778
 	https://git.kernel.org/stable/c/5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e
 	https://git.kernel.org/stable/c/997bed0f3cde78a3e639d624985bf4a95cf767e6
 	https://git.kernel.org/stable/c/a7da7d01ac5ce9b369a1ac70e1197999cc6c9686
 	https://git.kernel.org/stable/c/f65c4bbbd682b0877b669828b4e033b8d5d0a2dc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52933: Squashfs: fix handling and sanity checking of xattr_ids count

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Squashfs: fix handling and sanity checking of xattr_ids count

	A Sysbot [1] corrupted filesystem exposes two flaws in the handling and
	sanity checking of the xattr_ids count in the filesystem. Both of these
	flaws cause computation overflow due to incorrect typing.

	In the corrupted filesystem the xattr_ids value is 4294967071, which
	stored in a signed variable becomes the negative number -225.

	Flaw 1 (64-bit systems only):

	The signed integer xattr_ids variable causes sign extension.

	This causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The
	variable is first multiplied by sizeof(struct squashfs_xattr_id) where the
	type of the sizeof operator is "unsigned long".

	On a 64-bit system this is 64-bits in size, and causes the negative number
	to be sign extended and widened to 64-bits and then become unsigned. This
	produces the very large number 18446744073709548016 or 2^64 - 3600. This
	number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and
	divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0
	(stored in len).

	Flaw 2 (32-bit systems only):

	On a 32-bit system the integer variable is not widened by the unsigned
	long type of the sizeof operator (32-bits), and the signedness of the
	variable has no effect due it always being treated as unsigned.

	The above corrupted xattr_ids value of 4294967071, when multiplied
	overflows and produces the number 4294963696 or 2^32 - 3400. This number
	when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by
	SQUASHFS_METADATA_SIZE overflows again and produces a length of 0.

	The effect of the 0 length computation:

	In conjunction with the corrupted xattr_ids field, the filesystem also has
	a corrupted xattr_table_start value, where it matches the end of
	filesystem value of 850.

	This causes the following sanity check code to fail because the
	incorrectly computed len of 0 matches the incorrect size of the table
	reported by the superblock (0 bytes).

	len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
	indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);

	/*
	* The computed size of the index table (len bytes) should exactly
	* match the table start and end points
	*/
	start = table_start + sizeof(*id_table);
	end = msblk->bytes_used;

	if (len != (end - start))
	return ERR_PTR(-EINVAL);

	Changing the xattr_ids variable to be "usigned int" fixes the flaw on a
	64-bit system. This relies on the fact the computation is widened by the
	unsigned long type of the sizeof operator.

	Casting the variable to u64 in the above macro fixes this flaw on a 32-bit
	system.

	It also means 64-bit systems do not implicitly rely on the type of the
	sizeof operator to widen the computation.

	[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/

	The Linux kernel CVE team has assigned CVE-2023-52933 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14.222 with commit ff49cace7b8cf00d27665f7536a863d406963d06 and fixed in 4.14.306 with commit 7fe583c9bec10cd4b76231c51b37f3e4ca646e01
	Issue introduced in 4.19.176 with commit a8717b34003f4f7353b23826617ad872f85d85d8 and fixed in 4.19.273 with commit b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2
	Issue introduced in 5.4.98 with commit 3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad and fixed in 5.4.232 with commit 1369322c1de52c7b9b988b95c9903110a4566778
	Issue introduced in 5.10.16 with commit bddcce15cd1fb9675ddd46a76d8fe2d0a571313b and fixed in 5.10.168 with commit 5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e
	Issue introduced in 5.11 with commit 506220d2ba21791314af569211ffd8870b8208fa and fixed in 5.15.93 with commit 997bed0f3cde78a3e639d624985bf4a95cf767e6
	Issue introduced in 5.11 with commit 506220d2ba21791314af569211ffd8870b8208fa and fixed in 6.1.11 with commit a7da7d01ac5ce9b369a1ac70e1197999cc6c9686
	Issue introduced in 5.11 with commit 506220d2ba21791314af569211ffd8870b8208fa and fixed in 6.2 with commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc
	Issue introduced in 4.4.258 with commit 91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b
	Issue introduced in 4.9.258 with commit eca93bf20f70e0f78c8c28720951942f61a49117

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52933
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/squashfs/squashfs_fs.h
	fs/squashfs/squashfs_fs_sb.h
	fs/squashfs/xattr.h
	fs/squashfs/xattr_id.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7fe583c9bec10cd4b76231c51b37f3e4ca646e01
	https://git.kernel.org/stable/c/b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2
	https://git.kernel.org/stable/c/1369322c1de52c7b9b988b95c9903110a4566778
	https://git.kernel.org/stable/c/5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e
	https://git.kernel.org/stable/c/997bed0f3cde78a3e639d624985bf4a95cf767e6
	https://git.kernel.org/stable/c/a7da7d01ac5ce9b369a1ac70e1197999cc6c9686
	https://git.kernel.org/stable/c/f65c4bbbd682b0877b669828b4e033b8d5d0a2dc