cve/published/2024/CVE-2024-47701.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47701: ext4: avoid OOB when system.data xattr changes underneath the filesystem

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ext4: avoid OOB when system.data xattr changes underneath the filesystem

 When looking up for an entry in an inlined directory, if e_value_offs is
 changed underneath the filesystem by some change in the block device, it
 will lead to an out-of-bounds access that KASAN detects as an UAF.

 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
 loop0: detected capacity change from 2048 to 2047
 ==================================================================
 BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103

 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:93 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
  print_address_description mm/kasan/report.c:377 [inline]
  print_report+0x169/0x550 mm/kasan/report.c:488
  kasan_report+0x143/0x180 mm/kasan/report.c:601
  ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
  ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
  __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
  ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
  ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
  lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
  filename_create+0x297/0x540 fs/namei.c:3980
  do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
  __do_sys_symlinkat fs/namei.c:4610 [inline]
  __se_sys_symlinkat fs/namei.c:4607 [inline]
  __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7f3e73ced469
 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
 RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
 R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
  </TASK>

 Calling ext4_xattr_ibody_find right after reading the inode with
 ext4_get_inode_loc will lead to a check of the validity of the xattrs,
 avoiding this problem.

 The Linux kernel CVE team has assigned CVE-2024-47701 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 4.19.323 with commit 5b076d37e8d99918e9294bd6b35a8bbb436819b0
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 5.4.285 with commit 8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 5.10.227 with commit 7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 5.15.168 with commit be2e9b111e2790962cc66a177869b4e9717b4e29
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.1.113 with commit ea32883e4a03ed575a2eb7a66542022312bde477
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.6.54 with commit 2a6579ef5f2576a940125729f7409cc182f1c8df
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.10.13 with commit 371d0bacecd529f887ea2547333d9173e7bcdc0a
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.11.2 with commit ccb8c18076e2e630fea23fbec583cdad61787fc5
 	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.12 with commit c6b72f5d82b1017bad80f9ebf502832fc321d796

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47701
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ext4/inline.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5b076d37e8d99918e9294bd6b35a8bbb436819b0
 	https://git.kernel.org/stable/c/8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20
 	https://git.kernel.org/stable/c/7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba
 	https://git.kernel.org/stable/c/be2e9b111e2790962cc66a177869b4e9717b4e29
 	https://git.kernel.org/stable/c/ea32883e4a03ed575a2eb7a66542022312bde477
 	https://git.kernel.org/stable/c/2a6579ef5f2576a940125729f7409cc182f1c8df
 	https://git.kernel.org/stable/c/371d0bacecd529f887ea2547333d9173e7bcdc0a
 	https://git.kernel.org/stable/c/ccb8c18076e2e630fea23fbec583cdad61787fc5
 	https://git.kernel.org/stable/c/c6b72f5d82b1017bad80f9ebf502832fc321d796
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47701: ext4: avoid OOB when system.data xattr changes underneath the filesystem

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ext4: avoid OOB when system.data xattr changes underneath the filesystem

	When looking up for an entry in an inlined directory, if e_value_offs is
	changed underneath the filesystem by some change in the block device, it
	will lead to an out-of-bounds access that KASAN detects as an UAF.

	EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
	loop0: detected capacity change from 2048 to 2047
	==================================================================
	BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
	Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103

	CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:93 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0x169/0x550 mm/kasan/report.c:488
	kasan_report+0x143/0x180 mm/kasan/report.c:601
	ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
	ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
	__ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
	ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
	ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
	lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
	filename_create+0x297/0x540 fs/namei.c:3980
	do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
	__do_sys_symlinkat fs/namei.c:4610 [inline]
	__se_sys_symlinkat fs/namei.c:4607 [inline]
	__x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f3e73ced469
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
	RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
	RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
	RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
	R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
	R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
	</TASK>

	Calling ext4_xattr_ibody_find right after reading the inode with
	ext4_get_inode_loc will lead to a check of the validity of the xattrs,
	avoiding this problem.

	The Linux kernel CVE team has assigned CVE-2024-47701 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 4.19.323 with commit 5b076d37e8d99918e9294bd6b35a8bbb436819b0
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 5.4.285 with commit 8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 5.10.227 with commit 7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 5.15.168 with commit be2e9b111e2790962cc66a177869b4e9717b4e29
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.1.113 with commit ea32883e4a03ed575a2eb7a66542022312bde477
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.6.54 with commit 2a6579ef5f2576a940125729f7409cc182f1c8df
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.10.13 with commit 371d0bacecd529f887ea2547333d9173e7bcdc0a
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.11.2 with commit ccb8c18076e2e630fea23fbec583cdad61787fc5
	Issue introduced in 3.8 with commit e8e948e7802a2ab05c146d3e72a39b93b5718236 and fixed in 6.12 with commit c6b72f5d82b1017bad80f9ebf502832fc321d796

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47701
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ext4/inline.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5b076d37e8d99918e9294bd6b35a8bbb436819b0
	https://git.kernel.org/stable/c/8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20
	https://git.kernel.org/stable/c/7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba
	https://git.kernel.org/stable/c/be2e9b111e2790962cc66a177869b4e9717b4e29
	https://git.kernel.org/stable/c/ea32883e4a03ed575a2eb7a66542022312bde477
	https://git.kernel.org/stable/c/2a6579ef5f2576a940125729f7409cc182f1c8df
	https://git.kernel.org/stable/c/371d0bacecd529f887ea2547333d9173e7bcdc0a
	https://git.kernel.org/stable/c/ccb8c18076e2e630fea23fbec583cdad61787fc5
	https://git.kernel.org/stable/c/c6b72f5d82b1017bad80f9ebf502832fc321d796