cve/published/2024/CVE-2024-26981.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26981: nilfs2: fix OOB in nilfs_set_de_type

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: fix OOB in nilfs_set_de_type

 The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
 defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
 which uses this array, specifies the index to read from the array in the
 same way as "(mode & S_IFMT) >> S_SHIFT".

 static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
  *inode)
 {
 	umode_t mode = inode->i_mode;

 	de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
 }

 However, when the index is determined this way, an out-of-bounds (OOB)
 error occurs by referring to an index that is 1 larger than the array size
 when the condition "mode & S_IFMT == S_IFMT" is satisfied.  Therefore, a
 patch to resize the nilfs_type_by_mode array should be applied to prevent
 OOB errors.

 The Linux kernel CVE team has assigned CVE-2024-26981 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 4.19.313 with commit 054f29e9ca05be3906544c5f2a2c7321c30a4243
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.4.275 with commit 90f43980ea6be4ad903e389be9a27a2a0018f1c8
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.10.216 with commit 7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.15.157 with commit bdbe483da21f852c93b22557b146bc4d989260f0
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.1.88 with commit 897ac5306bbeb83e90c437326f7044c79a17c611
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.6.29 with commit 2382eae66b196c31893984a538908c3eb7506ff9
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.8.8 with commit 90823f8d9ecca3d5fa6b102c8e464c62f416975f
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.9 with commit c4a7dc9523b59b3e73fd522c73e95e072f876b16

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26981
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nilfs2/dir.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243
 	https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8
 	https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1
 	https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0
 	https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611
 	https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9
 	https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f
 	https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26981: nilfs2: fix OOB in nilfs_set_de_type

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nilfs2: fix OOB in nilfs_set_de_type

	The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
	defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
	which uses this array, specifies the index to read from the array in the
	same way as "(mode & S_IFMT) >> S_SHIFT".

	static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
	*inode)
	{
	umode_t mode = inode->i_mode;

	de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
	}

	However, when the index is determined this way, an out-of-bounds (OOB)
	error occurs by referring to an index that is 1 larger than the array size
	when the condition "mode & S_IFMT == S_IFMT" is satisfied. Therefore, a
	patch to resize the nilfs_type_by_mode array should be applied to prevent
	OOB errors.

	The Linux kernel CVE team has assigned CVE-2024-26981 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 4.19.313 with commit 054f29e9ca05be3906544c5f2a2c7321c30a4243
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.4.275 with commit 90f43980ea6be4ad903e389be9a27a2a0018f1c8
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.10.216 with commit 7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.15.157 with commit bdbe483da21f852c93b22557b146bc4d989260f0
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.1.88 with commit 897ac5306bbeb83e90c437326f7044c79a17c611
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.6.29 with commit 2382eae66b196c31893984a538908c3eb7506ff9
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.8.8 with commit 90823f8d9ecca3d5fa6b102c8e464c62f416975f
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.9 with commit c4a7dc9523b59b3e73fd522c73e95e072f876b16

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26981
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nilfs2/dir.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243
	https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8
	https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1
	https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0
	https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611
	https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9
	https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f
	https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16