cve/published/2024/CVE-2024-41013.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41013: xfs: don't walk off the end of a directory data block

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 xfs: don't walk off the end of a directory data block

 This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry
 to make sure don't stray beyond valid memory region. Before patching, the
 loop simply checks that the start offset of the dup and dep is within the
 range. So in a crafted image, if last entry is xfs_dir2_data_unused, we
 can change dup->length to dup->length-1 and leave 1 byte of space. In the
 next traversal, this space will be considered as dup or dep. We may
 encounter an out of bound read when accessing the fixed members.

 In the patch, we make sure that the remaining bytes large enough to hold
 an unused entry before accessing xfs_dir2_data_unused and
 xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make
 sure that the remaining bytes large enough to hold a dirent with a
 single-byte name before accessing xfs_dir2_data_entry.

 The Linux kernel CVE team has assigned CVE-2024-41013 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.68 with commit ca96d83c93071f95cf962ce92406621a472df31b
 	Fixed in 6.11 with commit 0c7fcdb6d06cdf8b19b57c17605215b06afa864a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41013
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/xfs/libxfs/xfs_dir2_data.c
 	fs/xfs/libxfs/xfs_dir2_priv.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ca96d83c93071f95cf962ce92406621a472df31b
 	https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41013: xfs: don't walk off the end of a directory data block

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	xfs: don't walk off the end of a directory data block

	This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry
	to make sure don't stray beyond valid memory region. Before patching, the
	loop simply checks that the start offset of the dup and dep is within the
	range. So in a crafted image, if last entry is xfs_dir2_data_unused, we
	can change dup->length to dup->length-1 and leave 1 byte of space. In the
	next traversal, this space will be considered as dup or dep. We may
	encounter an out of bound read when accessing the fixed members.

	In the patch, we make sure that the remaining bytes large enough to hold
	an unused entry before accessing xfs_dir2_data_unused and
	xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make
	sure that the remaining bytes large enough to hold a dirent with a
	single-byte name before accessing xfs_dir2_data_entry.

	The Linux kernel CVE team has assigned CVE-2024-41013 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.68 with commit ca96d83c93071f95cf962ce92406621a472df31b
	Fixed in 6.11 with commit 0c7fcdb6d06cdf8b19b57c17605215b06afa864a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41013
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/xfs/libxfs/xfs_dir2_data.c
	fs/xfs/libxfs/xfs_dir2_priv.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ca96d83c93071f95cf962ce92406621a472df31b
	https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a