cve/published/2024/CVE-2024-47691.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47691: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

 syzbot reports a f2fs bug as below:

  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
  print_report+0xe8/0x550 mm/kasan/report.c:491
  kasan_report+0x143/0x180 mm/kasan/report.c:601
  kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
  instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
  atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
  __refcount_add include/linux/refcount.h:184 [inline]
  __refcount_inc include/linux/refcount.h:241 [inline]
  refcount_inc include/linux/refcount.h:258 [inline]
  get_task_struct include/linux/sched/task.h:118 [inline]
  kthread_stop+0xca/0x630 kernel/kthread.c:704
  f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
  f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283
  f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]
  __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:907 [inline]
  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 The root cause is below race condition, it may cause use-after-free
 issue in sbi->gc_th pointer.

 - remount
  - f2fs_remount
   - f2fs_stop_gc_thread
    - kfree(gc_th)
 				- f2fs_ioc_shutdown
 				 - f2fs_do_shutdown
 				  - f2fs_stop_gc_thread
 				   - kthread_stop(gc_th->f2fs_gc_task)
    : sbi->gc_thread = NULL;

 We will call f2fs_do_shutdown() in two paths:
 - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
 for fixing.
 - for f2fs_shutdown() path, it's safe since caller has already grabbed
 sb->s_umount semaphore.

 The Linux kernel CVE team has assigned CVE-2024-47691 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.6.54 with commit fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812
 	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.10.13 with commit 7c339dee7eb0f8e4cadc317c595f898ef04dae30
 	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.11.2 with commit d79343cd66343709e409d96b2abb139a0a55ce34
 	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.12 with commit c7f114d864ac91515bb07ac271e9824a20f5ed95

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47691
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/f2fs.h
 	fs/f2fs/file.c
 	fs/f2fs/super.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812
 	https://git.kernel.org/stable/c/7c339dee7eb0f8e4cadc317c595f898ef04dae30
 	https://git.kernel.org/stable/c/d79343cd66343709e409d96b2abb139a0a55ce34
 	https://git.kernel.org/stable/c/c7f114d864ac91515bb07ac271e9824a20f5ed95
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47691: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

	syzbot reports a f2fs bug as below:

	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
	print_report+0xe8/0x550 mm/kasan/report.c:491
	kasan_report+0x143/0x180 mm/kasan/report.c:601
	kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
	instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
	atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
	__refcount_add include/linux/refcount.h:184 [inline]
	__refcount_inc include/linux/refcount.h:241 [inline]
	refcount_inc include/linux/refcount.h:258 [inline]
	get_task_struct include/linux/sched/task.h:118 [inline]
	kthread_stop+0xca/0x630 kernel/kthread.c:704
	f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
	f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283
	f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]
	__f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325
	vfs_ioctl fs/ioctl.c:51 [inline]
	__do_sys_ioctl fs/ioctl.c:907 [inline]
	__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	The root cause is below race condition, it may cause use-after-free
	issue in sbi->gc_th pointer.

	- remount
	- f2fs_remount
	- f2fs_stop_gc_thread
	- kfree(gc_th)
	- f2fs_ioc_shutdown
	- f2fs_do_shutdown
	- f2fs_stop_gc_thread
	- kthread_stop(gc_th->f2fs_gc_task)
	: sbi->gc_thread = NULL;

	We will call f2fs_do_shutdown() in two paths:
	- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
	for fixing.
	- for f2fs_shutdown() path, it's safe since caller has already grabbed
	sb->s_umount semaphore.

	The Linux kernel CVE team has assigned CVE-2024-47691 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.6.54 with commit fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812
	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.10.13 with commit 7c339dee7eb0f8e4cadc317c595f898ef04dae30
	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.11.2 with commit d79343cd66343709e409d96b2abb139a0a55ce34
	Issue introduced in 4.16 with commit 7950e9ac638e84518fbdd5c930939ad46a1068c5 and fixed in 6.12 with commit c7f114d864ac91515bb07ac271e9824a20f5ed95

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47691
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/f2fs.h
	fs/f2fs/file.c
	fs/f2fs/super.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812
	https://git.kernel.org/stable/c/7c339dee7eb0f8e4cadc317c595f898ef04dae30
	https://git.kernel.org/stable/c/d79343cd66343709e409d96b2abb139a0a55ce34
	https://git.kernel.org/stable/c/c7f114d864ac91515bb07ac271e9824a20f5ed95