cve/published/2024/CVE-2024-38599.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38599: jffs2: prevent xattr node from overflowing the eraseblock

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 jffs2: prevent xattr node from overflowing the eraseblock

 Add a check to make sure that the requested xattr node size is no larger
 than the eraseblock minus the cleanmarker.

 Unlike the usual inode nodes, the xattr nodes aren't split into parts
 and spread across multiple eraseblocks, which means that a xattr node
 must not occupy more than one eraseblock. If the requested xattr value is
 too large, the xattr node can spill onto the next eraseblock, overwriting
 the nodes and causing errors such as:

 jffs2: argh. node added in wrong place at 0x0000b050(2)
 jffs2: nextblock 0x0000a000, expected at 0000b00c
 jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,
 read=0xfc892c93, calc=0x000000
 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed
 at 0x01e00c. {848f,2fc4,0fef511f,59a3d171}
 jffs2: Node at 0x0000000c with length 0x00001044 would run over the
 end of the erase block
 jffs2: Perhaps the file system was created with the wrong erase size?
 jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
 at 0x00000010: 0x1044 instead

 This breaks the filesystem and can lead to KASAN crashes such as:

 BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0
 Read of size 4 at addr ffff88802c31e914 by task repro/830
 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
 BIOS Arch Linux 1.16.3-1-1 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0xc6/0x120
  print_report+0xc4/0x620
  ? __virt_addr_valid+0x308/0x5b0
  kasan_report+0xc1/0xf0
  ? jffs2_sum_add_kvec+0x125e/0x15d0
  ? jffs2_sum_add_kvec+0x125e/0x15d0
  jffs2_sum_add_kvec+0x125e/0x15d0
  jffs2_flash_direct_writev+0xa8/0xd0
  jffs2_flash_writev+0x9c9/0xef0
  ? __x64_sys_setxattr+0xc4/0x160
  ? do_syscall_64+0x69/0x140
  ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
  [...]

 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

 The Linux kernel CVE team has assigned CVE-2024-38599 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.19.316 with commit 2904e1d9b64f72d291095e3cbb31634f08788b11
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.4.278 with commit 526235dffcac74c7823ed504dfac4f88d84ba5df
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.10.219 with commit f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.15.161 with commit a1d21bcd78cf4a4353e1e835789429c6b76aca8b
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.1.93 with commit f06969df2e40ab1dc8f4364a5de967830c74a098
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.6.33 with commit af82d8d2179b7277ad627c39e7e0778f1c86ccdb
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.8.12 with commit 8d431391320c5c5398ff966fb3a95e68a7def275
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.9.3 with commit 978a12c91b38bf1a213e567f3c20e2beef215f07
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.10 with commit c6854e5a267c28300ff045480b5a7ee7f6f1d913

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38599
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/jffs2/xattr.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11
 	https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df
 	https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8
 	https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b
 	https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098
 	https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb
 	https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275
 	https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07
 	https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38599: jffs2: prevent xattr node from overflowing the eraseblock

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	jffs2: prevent xattr node from overflowing the eraseblock

	Add a check to make sure that the requested xattr node size is no larger
	than the eraseblock minus the cleanmarker.

	Unlike the usual inode nodes, the xattr nodes aren't split into parts
	and spread across multiple eraseblocks, which means that a xattr node
	must not occupy more than one eraseblock. If the requested xattr value is
	too large, the xattr node can spill onto the next eraseblock, overwriting
	the nodes and causing errors such as:

	jffs2: argh. node added in wrong place at 0x0000b050(2)
	jffs2: nextblock 0x0000a000, expected at 0000b00c
	jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,
	read=0xfc892c93, calc=0x000000
	jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed
	at 0x01e00c. {848f,2fc4,0fef511f,59a3d171}
	jffs2: Node at 0x0000000c with length 0x00001044 would run over the
	end of the erase block
	jffs2: Perhaps the file system was created with the wrong erase size?
	jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
	at 0x00000010: 0x1044 instead

	This breaks the filesystem and can lead to KASAN crashes such as:

	BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0
	Read of size 4 at addr ffff88802c31e914 by task repro/830
	CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
	BIOS Arch Linux 1.16.3-1-1 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl+0xc6/0x120
	print_report+0xc4/0x620
	? __virt_addr_valid+0x308/0x5b0
	kasan_report+0xc1/0xf0
	? jffs2_sum_add_kvec+0x125e/0x15d0
	? jffs2_sum_add_kvec+0x125e/0x15d0
	jffs2_sum_add_kvec+0x125e/0x15d0
	jffs2_flash_direct_writev+0xa8/0xd0
	jffs2_flash_writev+0x9c9/0xef0
	? __x64_sys_setxattr+0xc4/0x160
	? do_syscall_64+0x69/0x140
	? entry_SYSCALL_64_after_hwframe+0x76/0x7e
	[...]

	Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	The Linux kernel CVE team has assigned CVE-2024-38599 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.19.316 with commit 2904e1d9b64f72d291095e3cbb31634f08788b11
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.4.278 with commit 526235dffcac74c7823ed504dfac4f88d84ba5df
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.10.219 with commit f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.15.161 with commit a1d21bcd78cf4a4353e1e835789429c6b76aca8b
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.1.93 with commit f06969df2e40ab1dc8f4364a5de967830c74a098
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.6.33 with commit af82d8d2179b7277ad627c39e7e0778f1c86ccdb
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.8.12 with commit 8d431391320c5c5398ff966fb3a95e68a7def275
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.9.3 with commit 978a12c91b38bf1a213e567f3c20e2beef215f07
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 6.10 with commit c6854e5a267c28300ff045480b5a7ee7f6f1d913

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38599
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/jffs2/xattr.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11
	https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df
	https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8
	https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b
	https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098
	https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb
	https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275
	https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07
	https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913