cve/published/2024/CVE-2024-49887.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49887: f2fs: fix to don't panic system for no free segment fault injection

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to don't panic system for no free segment fault injection

 f2fs: fix to don't panic system for no free segment fault injection

 syzbot reports a f2fs bug as below:

 F2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
 F2FS-fs (loop0): Stopped filesystem due to reason: 7
 ------------[ cut here ]------------
 kernel BUG at fs/f2fs/segment.c:2748!
 CPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0
 RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
 RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836
 Call Trace:
  __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
  f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline]
  f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195
  f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799
  f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903
  vfs_fallocate+0x553/0x6c0 fs/open.c:334
  do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886
  __do_sys_ioctl fs/ioctl.c:905 [inline]
  __se_sys_ioctl+0x81/0x170 fs/ioctl.c:893
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
 RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836

 The root cause is when we inject no free segment fault into f2fs,
 we should not panic system, fix it.

 The Linux kernel CVE team has assigned CVE-2024-49887 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.9 with commit 8b10d3653735e117bc1954ade80d75ad7b46b801 and fixed in 6.10.14 with commit 9f6e7a0512a57387d36f5e9e9635d6668cac13dd
 	Issue introduced in 6.9 with commit 8b10d3653735e117bc1954ade80d75ad7b46b801 and fixed in 6.11.3 with commit 645ec43760e86d3079fee2e8b51fde7060a540d0
 	Issue introduced in 6.9 with commit 8b10d3653735e117bc1954ade80d75ad7b46b801 and fixed in 6.12 with commit 65a6ce4726c27b45600303f06496fef46d00b57f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49887
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/segment.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9f6e7a0512a57387d36f5e9e9635d6668cac13dd
 	https://git.kernel.org/stable/c/645ec43760e86d3079fee2e8b51fde7060a540d0
 	https://git.kernel.org/stable/c/65a6ce4726c27b45600303f06496fef46d00b57f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49887: f2fs: fix to don't panic system for no free segment fault injection

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to don't panic system for no free segment fault injection

	f2fs: fix to don't panic system for no free segment fault injection

	syzbot reports a f2fs bug as below:

	F2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
	F2FS-fs (loop0): Stopped filesystem due to reason: 7
	------------[ cut here ]------------
	kernel BUG at fs/f2fs/segment.c:2748!
	CPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0
	RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
	RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836
	Call Trace:
	__allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
	f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline]
	f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195
	f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799
	f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903
	vfs_fallocate+0x553/0x6c0 fs/open.c:334
	do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886
	__do_sys_ioctl fs/ioctl.c:905 [inline]
	__se_sys_ioctl+0x81/0x170 fs/ioctl.c:893
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
	RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836

	The root cause is when we inject no free segment fault into f2fs,
	we should not panic system, fix it.

	The Linux kernel CVE team has assigned CVE-2024-49887 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.9 with commit 8b10d3653735e117bc1954ade80d75ad7b46b801 and fixed in 6.10.14 with commit 9f6e7a0512a57387d36f5e9e9635d6668cac13dd
	Issue introduced in 6.9 with commit 8b10d3653735e117bc1954ade80d75ad7b46b801 and fixed in 6.11.3 with commit 645ec43760e86d3079fee2e8b51fde7060a540d0
	Issue introduced in 6.9 with commit 8b10d3653735e117bc1954ade80d75ad7b46b801 and fixed in 6.12 with commit 65a6ce4726c27b45600303f06496fef46d00b57f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49887
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/segment.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9f6e7a0512a57387d36f5e9e9635d6668cac13dd
	https://git.kernel.org/stable/c/645ec43760e86d3079fee2e8b51fde7060a540d0
	https://git.kernel.org/stable/c/65a6ce4726c27b45600303f06496fef46d00b57f