cve/published/2024/CVE-2024-43859.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-43859: f2fs: fix to truncate preallocated blocks in f2fs_file_open()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to truncate preallocated blocks in f2fs_file_open()

 chenyuwen reports a f2fs bug as below:

 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000011
  fscrypt_set_bio_crypt_ctx+0x78/0x1e8
  f2fs_grab_read_bio+0x78/0x208
  f2fs_submit_page_read+0x44/0x154
  f2fs_get_read_data_page+0x288/0x5f4
  f2fs_get_lock_data_page+0x60/0x190
  truncate_partial_data_page+0x108/0x4fc
  f2fs_do_truncate_blocks+0x344/0x5f0
  f2fs_truncate_blocks+0x6c/0x134
  f2fs_truncate+0xd8/0x200
  f2fs_iget+0x20c/0x5ac
  do_garbage_collect+0x5d0/0xf6c
  f2fs_gc+0x22c/0x6a4
  f2fs_disable_checkpoint+0xc8/0x310
  f2fs_fill_super+0x14bc/0x1764
  mount_bdev+0x1b4/0x21c
  f2fs_mount+0x20/0x30
  legacy_get_tree+0x50/0xbc
  vfs_get_tree+0x5c/0x1b0
  do_new_mount+0x298/0x4cc
  path_mount+0x33c/0x5fc
  __arm64_sys_mount+0xcc/0x15c
  invoke_syscall+0x60/0x150
  el0_svc_common+0xb8/0xf8
  do_el0_svc+0x28/0xa0
  el0_svc+0x24/0x84
  el0t_64_sync_handler+0x88/0xec

 It is because inode.i_crypt_info is not initialized during below path:
 - mount
  - f2fs_fill_super
   - f2fs_disable_checkpoint
    - f2fs_gc
     - f2fs_iget
      - f2fs_truncate

 So, let's relocate truncation of preallocated blocks to f2fs_file_open(),
 after fscrypt_file_open().

 The Linux kernel CVE team has assigned CVE-2024-43859 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.1.109 with commit 5f04969136db674f133781626e0b692c5f2bf2f0
 	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.6.44 with commit f44a25a8bfe0c15d33244539696cd9119cf44d18
 	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.10.3 with commit 3ba0ae885215b325605ff7ebf6de12ac2adf204d
 	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.11 with commit 298b1e4182d657c3e388adcc29477904e9600ed5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-43859
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/f2fs.h
 	fs/f2fs/file.c
 	fs/f2fs/inode.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5f04969136db674f133781626e0b692c5f2bf2f0
 	https://git.kernel.org/stable/c/f44a25a8bfe0c15d33244539696cd9119cf44d18
 	https://git.kernel.org/stable/c/3ba0ae885215b325605ff7ebf6de12ac2adf204d
 	https://git.kernel.org/stable/c/298b1e4182d657c3e388adcc29477904e9600ed5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-43859: f2fs: fix to truncate preallocated blocks in f2fs_file_open()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to truncate preallocated blocks in f2fs_file_open()

	chenyuwen reports a f2fs bug as below:

	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000011
	fscrypt_set_bio_crypt_ctx+0x78/0x1e8
	f2fs_grab_read_bio+0x78/0x208
	f2fs_submit_page_read+0x44/0x154
	f2fs_get_read_data_page+0x288/0x5f4
	f2fs_get_lock_data_page+0x60/0x190
	truncate_partial_data_page+0x108/0x4fc
	f2fs_do_truncate_blocks+0x344/0x5f0
	f2fs_truncate_blocks+0x6c/0x134
	f2fs_truncate+0xd8/0x200
	f2fs_iget+0x20c/0x5ac
	do_garbage_collect+0x5d0/0xf6c
	f2fs_gc+0x22c/0x6a4
	f2fs_disable_checkpoint+0xc8/0x310
	f2fs_fill_super+0x14bc/0x1764
	mount_bdev+0x1b4/0x21c
	f2fs_mount+0x20/0x30
	legacy_get_tree+0x50/0xbc
	vfs_get_tree+0x5c/0x1b0
	do_new_mount+0x298/0x4cc
	path_mount+0x33c/0x5fc
	__arm64_sys_mount+0xcc/0x15c
	invoke_syscall+0x60/0x150
	el0_svc_common+0xb8/0xf8
	do_el0_svc+0x28/0xa0
	el0_svc+0x24/0x84
	el0t_64_sync_handler+0x88/0xec

	It is because inode.i_crypt_info is not initialized during below path:
	- mount
	- f2fs_fill_super
	- f2fs_disable_checkpoint
	- f2fs_gc
	- f2fs_iget
	- f2fs_truncate

	So, let's relocate truncation of preallocated blocks to f2fs_file_open(),
	after fscrypt_file_open().

	The Linux kernel CVE team has assigned CVE-2024-43859 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.1.109 with commit 5f04969136db674f133781626e0b692c5f2bf2f0
	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.6.44 with commit f44a25a8bfe0c15d33244539696cd9119cf44d18
	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.10.3 with commit 3ba0ae885215b325605ff7ebf6de12ac2adf204d
	Issue introduced in 5.17 with commit d4dd19ec1ea0cf6532d65709325c42b1398614a8 and fixed in 6.11 with commit 298b1e4182d657c3e388adcc29477904e9600ed5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-43859
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/f2fs.h
	fs/f2fs/file.c
	fs/f2fs/inode.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5f04969136db674f133781626e0b692c5f2bf2f0
	https://git.kernel.org/stable/c/f44a25a8bfe0c15d33244539696cd9119cf44d18
	https://git.kernel.org/stable/c/3ba0ae885215b325605ff7ebf6de12ac2adf204d
	https://git.kernel.org/stable/c/298b1e4182d657c3e388adcc29477904e9600ed5