| From bippy-1.0.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26982: Squashfs: check the inode number is not the invalid value of zero |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| Squashfs: check the inode number is not the invalid value of zero |
| |
| Syskiller has produced an out of bounds access in fill_meta_index(). |
| |
| That out of bounds access is ultimately caused because the inode |
| has an inode number with the invalid value of zero, which was not checked. |
| |
| The reason this causes the out of bounds access is due to following |
| sequence of events: |
| |
| 1. Fill_meta_index() is called to allocate (via empty_meta_index()) |
| and fill a metadata index. It however suffers a data read error |
| and aborts, invalidating the newly returned empty metadata index. |
| It does this by setting the inode number of the index to zero, |
| which means unused (zero is not a valid inode number). |
| |
| 2. When fill_meta_index() is subsequently called again on another |
| read operation, locate_meta_index() returns the previous index |
| because it matches the inode number of 0. Because this index |
| has been returned it is expected to have been filled, and because |
| it hasn't been, an out of bounds access is performed. |
| |
| This patch adds a sanity check which checks that the inode number |
| is not zero when the inode is created and returns -EINVAL if it is. |
| |
| [phillip@squashfs.org.uk: whitespace fix] |
| |
| The Linux kernel CVE team has assigned CVE-2024-26982 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.4.291 with commit 32c114a58236fe67141634774559f21f1dc96fd7 |
| Fixed in 5.10.235 with commit 4a1b6f89825e267e156ccaeba3d235edcac77f94 |
| Fixed in 5.15.179 with commit cf46f88b92cfc0e32bd8a21ba1273cff13b8745f |
| Fixed in 6.1.130 with commit 5b99dea79650b50909c50aba24fbae00f203f013 |
| Fixed in 6.6.30 with commit be383effaee3d89034f0828038f95065b518772e |
| Fixed in 6.8.8 with commit 7def00ebc9f2d6a581ddf46ce4541f84a10680e5 |
| Fixed in 6.9 with commit 9253c54e01b6505d348afbc02abaa4d9f8a01395 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26982 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/squashfs/inode.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/32c114a58236fe67141634774559f21f1dc96fd7 |
| https://git.kernel.org/stable/c/4a1b6f89825e267e156ccaeba3d235edcac77f94 |
| https://git.kernel.org/stable/c/cf46f88b92cfc0e32bd8a21ba1273cff13b8745f |
| https://git.kernel.org/stable/c/5b99dea79650b50909c50aba24fbae00f203f013 |
| https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e |
| https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5 |
| https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395 |
