cve/published/2024/CVE-2024-44941.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44941: f2fs: fix to cover read extent cache access with lock

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to cover read extent cache access with lock

 syzbot reports a f2fs bug as below:

 BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
 Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097

 CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
  print_address_description mm/kasan/report.c:377 [inline]
  print_report+0x169/0x550 mm/kasan/report.c:488
  kasan_report+0x143/0x180 mm/kasan/report.c:601
  sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
  do_read_inode fs/f2fs/inode.c:509 [inline]
  f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560
  f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237
  generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413
  exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444
  exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584
  do_handle_to_path fs/fhandle.c:155 [inline]
  handle_to_path fs/fhandle.c:210 [inline]
  do_handle_open+0x495/0x650 fs/fhandle.c:226
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 We missed to cover sanity_check_extent_cache() w/ extent cache lock,
 so, below race case may happen, result in use after free issue.

 - f2fs_iget
  - do_read_inode
   - f2fs_init_read_extent_tree
   : add largest extent entry in to cache
 					- shrink
 					 - f2fs_shrink_read_extent_tree
 					  - __shrink_extent_tree
 					   - __detach_extent_node
 					   : drop largest extent entry
   - sanity_check_extent_cache
   : access et->largest w/o lock

 let's refactor sanity_check_extent_cache() to avoid extent cache access
 and call it before f2fs_init_read_extent_tree() to fix this issue.

 The Linux kernel CVE team has assigned CVE-2024-44941 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.47 with commit 263df78166d3a9609b97d28c34029bd01874cbb8
 	Fixed in 6.10.6 with commit 323ef20b5558b9d9fd10c1224327af6f11a8177d
 	Fixed in 6.11 with commit d7409b05a64f212735f0d33f5f1602051a886eab

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44941
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/extent_cache.c
 	fs/f2fs/f2fs.h
 	fs/f2fs/inode.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8
 	https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d
 	https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44941: f2fs: fix to cover read extent cache access with lock

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to cover read extent cache access with lock

	syzbot reports a f2fs bug as below:

	BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
	Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097

	CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0x169/0x550 mm/kasan/report.c:488
	kasan_report+0x143/0x180 mm/kasan/report.c:601
	sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
	do_read_inode fs/f2fs/inode.c:509 [inline]
	f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560
	f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237
	generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413
	exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444
	exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584
	do_handle_to_path fs/fhandle.c:155 [inline]
	handle_to_path fs/fhandle.c:210 [inline]
	do_handle_open+0x495/0x650 fs/fhandle.c:226
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	We missed to cover sanity_check_extent_cache() w/ extent cache lock,
	so, below race case may happen, result in use after free issue.

	- f2fs_iget
	- do_read_inode
	- f2fs_init_read_extent_tree
	: add largest extent entry in to cache
	- shrink
	- f2fs_shrink_read_extent_tree
	- __shrink_extent_tree
	- __detach_extent_node
	: drop largest extent entry
	- sanity_check_extent_cache
	: access et->largest w/o lock

	let's refactor sanity_check_extent_cache() to avoid extent cache access
	and call it before f2fs_init_read_extent_tree() to fix this issue.

	The Linux kernel CVE team has assigned CVE-2024-44941 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.47 with commit 263df78166d3a9609b97d28c34029bd01874cbb8
	Fixed in 6.10.6 with commit 323ef20b5558b9d9fd10c1224327af6f11a8177d
	Fixed in 6.11 with commit d7409b05a64f212735f0d33f5f1602051a886eab

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44941
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/extent_cache.c
	fs/f2fs/f2fs.h
	fs/f2fs/inode.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8
	https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d
	https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab