cve/published/2024/CVE-2024-38636.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38636: f2fs: multidev: fix to recognize valid zero block address

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: multidev: fix to recognize valid zero block address

 As reported by Yi Zhang in mailing list [1], kernel warning was catched
 during zbd/010 test as below:

 ./check zbd/010
 zbd/010 (test gap zone support with F2FS)                    [failed]
     runtime    ...  3.752s
     something found in dmesg:
     [ 4378.146781] run blktests zbd/010 at 2024-02-18 11:31:13
     [ 4378.192349] null_blk: module loaded
     [ 4378.209860] null_blk: disk nullb0 created
     [ 4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: trim
 poll_queues to 0. poll_q/nr_hw = (0/1)
     [ 4378.422334] scsi host15: scsi_debug: version 0191 [20210520]
                      dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0
     [ 4378.434922] scsi 15:0:0:0: Direct-Access-ZBC Linux
 scsi_debug       0191 PQ: 0 ANSI: 7
     [ 4378.443343] scsi 15:0:0:0: Power-on or device reset occurred
     [ 4378.449371] sd 15:0:0:0: Attached scsi generic sg5 type 20
     [ 4378.449418] sd 15:0:0:0: [sdf] Host-managed zoned block device
     ...
     (See '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg'

 WARNING: CPU: 22 PID: 44011 at fs/iomap/iter.c:51
 CPU: 22 PID: 44011 Comm: fio Not tainted 6.8.0-rc3+ #1
 RIP: 0010:iomap_iter+0x32b/0x350
 Call Trace:
  <TASK>
  __iomap_dio_rw+0x1df/0x830
  f2fs_file_read_iter+0x156/0x3d0 [f2fs]
  aio_read+0x138/0x210
  io_submit_one+0x188/0x8c0
  __x64_sys_io_submit+0x8c/0x1a0
  do_syscall_64+0x86/0x170
  entry_SYSCALL_64_after_hwframe+0x6e/0x76

 Shinichiro Kawasaki helps to analyse this issue and proposes a potential
 fixing patch in [2].

 Quoted from reply of Shinichiro Kawasaki:

 "I confirmed that the trigger commit is dbf8e63f48af as Yi reported. I took a
 look in the commit, but it looks fine to me. So I thought the cause is not
 in the commit diff.

 I found the WARN is printed when the f2fs is set up with multiple devices,
 and read requests are mapped to the very first block of the second device in the
 direct read path. In this case, f2fs_map_blocks() and f2fs_map_blocks_cached()
 modify map->m_pblk as the physical block address from each block device. It
 becomes zero when it is mapped to the first block of the device. However,
 f2fs_iomap_begin() assumes that map->m_pblk is the physical block address of the
 whole f2fs, across the all block devices. It compares map->m_pblk against
 NULL_ADDR == 0, then go into the unexpected branch and sets the invalid
 iomap->length. The WARN catches the invalid iomap->length.

 This WARN is printed even for non-zoned block devices, by following steps.

  - Create two (non-zoned) null_blk devices memory backed with 128MB size each:
    nullb0 and nullb1.
  # mkfs.f2fs /dev/nullb0 -c /dev/nullb1
  # mount -t f2fs /dev/nullb0 "${mount_dir}"
  # dd if=/dev/zero of="${mount_dir}/test.dat" bs=1M count=192
  # dd if="${mount_dir}/test.dat" of=/dev/null bs=1M count=192 iflag=direct

 ..."

 So, the root cause of this issue is: when multi-devices feature is on,
 f2fs_map_blocks() may return zero blkaddr in non-primary device, which is
 a verified valid block address, however, f2fs_iomap_begin() treats it as
 an invalid block address, and then it triggers the warning in iomap
 framework code.

 Finally, as discussed, we decide to use a more simple and direct way that
 checking (map.m_flags & F2FS_MAP_MAPPED) condition instead of
 (map.m_pblk != NULL_ADDR) to fix this issue.

 Thanks a lot for the effort of Yi Zhang and Shinichiro Kawasaki on this
 issue.

 [1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/
 [2] https://lore.kernel.org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/

 The Linux kernel CVE team has assigned CVE-2024-38636 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.1.93 with commit 1a9225fdd0ec95fcf32936bcea9ceef0cf1512dc
 	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.6.33 with commit 2b2611a42462c6c685d40b5f3aedcd8d21c27065
 	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.9.4 with commit e8b485e39b4d17afa9a2821fc778d5a67abfc03a
 	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.10 with commit 33e62cd7b4c281cd737c62e5d8c4f0e602a8c5c5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38636
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/data.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1a9225fdd0ec95fcf32936bcea9ceef0cf1512dc
 	https://git.kernel.org/stable/c/2b2611a42462c6c685d40b5f3aedcd8d21c27065
 	https://git.kernel.org/stable/c/e8b485e39b4d17afa9a2821fc778d5a67abfc03a
 	https://git.kernel.org/stable/c/33e62cd7b4c281cd737c62e5d8c4f0e602a8c5c5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38636: f2fs: multidev: fix to recognize valid zero block address

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: multidev: fix to recognize valid zero block address

	As reported by Yi Zhang in mailing list [1], kernel warning was catched
	during zbd/010 test as below:

	./check zbd/010
	zbd/010 (test gap zone support with F2FS) [failed]
	runtime ... 3.752s
	something found in dmesg:
	[ 4378.146781] run blktests zbd/010 at 2024-02-18 11:31:13
	[ 4378.192349] null_blk: module loaded
	[ 4378.209860] null_blk: disk nullb0 created
	[ 4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: trim
	poll_queues to 0. poll_q/nr_hw = (0/1)
	[ 4378.422334] scsi host15: scsi_debug: version 0191 [20210520]
	dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0
	[ 4378.434922] scsi 15:0:0:0: Direct-Access-ZBC Linux
	scsi_debug 0191 PQ: 0 ANSI: 7
	[ 4378.443343] scsi 15:0:0:0: Power-on or device reset occurred
	[ 4378.449371] sd 15:0:0:0: Attached scsi generic sg5 type 20
	[ 4378.449418] sd 15:0:0:0: [sdf] Host-managed zoned block device
	...
	(See '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg'

	WARNING: CPU: 22 PID: 44011 at fs/iomap/iter.c:51
	CPU: 22 PID: 44011 Comm: fio Not tainted 6.8.0-rc3+ #1
	RIP: 0010:iomap_iter+0x32b/0x350
	Call Trace:
	<TASK>
	__iomap_dio_rw+0x1df/0x830
	f2fs_file_read_iter+0x156/0x3d0 [f2fs]
	aio_read+0x138/0x210
	io_submit_one+0x188/0x8c0
	__x64_sys_io_submit+0x8c/0x1a0
	do_syscall_64+0x86/0x170
	entry_SYSCALL_64_after_hwframe+0x6e/0x76

	Shinichiro Kawasaki helps to analyse this issue and proposes a potential
	fixing patch in [2].

	Quoted from reply of Shinichiro Kawasaki:

	"I confirmed that the trigger commit is dbf8e63f48af as Yi reported. I took a
	look in the commit, but it looks fine to me. So I thought the cause is not
	in the commit diff.

	I found the WARN is printed when the f2fs is set up with multiple devices,
	and read requests are mapped to the very first block of the second device in the
	direct read path. In this case, f2fs_map_blocks() and f2fs_map_blocks_cached()
	modify map->m_pblk as the physical block address from each block device. It
	becomes zero when it is mapped to the first block of the device. However,
	f2fs_iomap_begin() assumes that map->m_pblk is the physical block address of the
	whole f2fs, across the all block devices. It compares map->m_pblk against
	NULL_ADDR == 0, then go into the unexpected branch and sets the invalid
	iomap->length. The WARN catches the invalid iomap->length.

	This WARN is printed even for non-zoned block devices, by following steps.

	- Create two (non-zoned) null_blk devices memory backed with 128MB size each:
	nullb0 and nullb1.
	# mkfs.f2fs /dev/nullb0 -c /dev/nullb1
	# mount -t f2fs /dev/nullb0 "${mount_dir}"
	# dd if=/dev/zero of="${mount_dir}/test.dat" bs=1M count=192
	# dd if="${mount_dir}/test.dat" of=/dev/null bs=1M count=192 iflag=direct

	..."

	So, the root cause of this issue is: when multi-devices feature is on,
	f2fs_map_blocks() may return zero blkaddr in non-primary device, which is
	a verified valid block address, however, f2fs_iomap_begin() treats it as
	an invalid block address, and then it triggers the warning in iomap
	framework code.

	Finally, as discussed, we decide to use a more simple and direct way that
	checking (map.m_flags & F2FS_MAP_MAPPED) condition instead of
	(map.m_pblk != NULL_ADDR) to fix this issue.

	Thanks a lot for the effort of Yi Zhang and Shinichiro Kawasaki on this
	issue.

	[1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/
	[2] https://lore.kernel.org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/

	The Linux kernel CVE team has assigned CVE-2024-38636 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.1.93 with commit 1a9225fdd0ec95fcf32936bcea9ceef0cf1512dc
	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.6.33 with commit 2b2611a42462c6c685d40b5f3aedcd8d21c27065
	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.9.4 with commit e8b485e39b4d17afa9a2821fc778d5a67abfc03a
	Issue introduced in 5.17 with commit 1517c1a7a4456f080fabc4ac9853930e4b880d14 and fixed in 6.10 with commit 33e62cd7b4c281cd737c62e5d8c4f0e602a8c5c5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38636
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/data.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1a9225fdd0ec95fcf32936bcea9ceef0cf1512dc
	https://git.kernel.org/stable/c/2b2611a42462c6c685d40b5f3aedcd8d21c27065
	https://git.kernel.org/stable/c/e8b485e39b4d17afa9a2821fc778d5a67abfc03a
	https://git.kernel.org/stable/c/33e62cd7b4c281cd737c62e5d8c4f0e602a8c5c5