cve/published/2024/CVE-2024-49958.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49958: ocfs2: reserve space for inline xattr before attaching reflink tree

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ocfs2: reserve space for inline xattr before attaching reflink tree

 One of our customers reported a crash and a corrupted ocfs2 filesystem.
 The crash was due to the detection of corruption.  Upon troubleshooting,
 the fsck -fn output showed the below corruption

 [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,
 but fsck believes the largest valid value is 227.  Clamp the next record value? n

 The stat output from the debugfs.ocfs2 showed the following corruption
 where the "Next Free Rec:" had overshot the "Count:" in the root metadata
 block.

         Inode: 33080590   Mode: 0640   Generation: 2619713622 (0x9c25a856)
         FS Generation: 904309833 (0x35e6ac49)
         CRC32: 00000000   ECC: 0000
         Type: Regular   Attr: 0x0   Flags: Valid
         Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
         Extended Attributes Block: 0  Extended Attributes Inline Size: 256
         User: 0 (root)   Group: 0 (root)   Size: 281320357888
         Links: 1   Clusters: 141738
         ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
         atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
         mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
         dtime: 0x0 -- Wed Dec 31 17:00:00 1969
         Refcount Block: 2777346
         Last Extblk: 2886943   Orphan Slot: 0
         Sub Alloc Slot: 0   Sub Alloc Bit: 14
         Tree Depth: 1   Count: 227   Next Free Rec: 230
         ## Offset        Clusters       Block#
         0  0             2310           2776351
         1  2310          2139           2777375
         2  4449          1221           2778399
         3  5670          731            2779423
         4  6401          566            2780447
         .......          ....           .......
         .......          ....           .......

 The issue was in the reflink workfow while reserving space for inline
 xattr.  The problematic function is ocfs2_reflink_xattr_inline().  By the
 time this function is called the reflink tree is already recreated at the
 destination inode from the source inode.  At this point, this function
 reserves space for inline xattrs at the destination inode without even
 checking if there is space at the root metadata block.  It simply reduces
 the l_count from 243 to 227 thereby making space of 256 bytes for inline
 xattr whereas the inode already has extents beyond this index (in this
 case up to 230), thereby causing corruption.

 The fix for this is to reserve space for inline metadata at the destination
 inode before the reflink tree gets recreated. The customer has verified the
 fix.

 The Linux kernel CVE team has assigned CVE-2024-49958 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 4.19.323 with commit 5c9807c523b4fca81d3e8e864dabc8c806402121
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 5.4.285 with commit 74364cb578dcc0b6c9109519d19cbe5a56afac9a
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 5.10.227 with commit aac31d654a0a31cb0d2fa36ae694f4e164a52707
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 5.15.168 with commit 020f5c53c17f66c0a8f2d37dad27ace301b8d8a1
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.1.113 with commit 5c2072f02c0d75802ec28ec703b7d43a0dd008b5
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.6.55 with commit 637c00e06564a945e9d0edb3d78d362d64935f9f
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.10.14 with commit 9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.11.3 with commit 96ce4c3537114d1698be635f5e36c62dc49df7a4
 	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.12 with commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0
 	Issue introduced in 3.0.87 with commit 3a32958d2ac96070c53d04bd8e013c97b260b5e6
 	Issue introduced in 3.2.49 with commit 93f26306db89c9dc37885b76a1082e6d54d23b16
 	Issue introduced in 3.4.54 with commit 26a849f49fb3347d126a0ed6611173f903374ef4
 	Issue introduced in 3.9.11 with commit 1e7e4c9ae2a78a6791a2ca91a6a400f94855f01e
 	Issue introduced in 3.10.2 with commit 1926bf8ae44d80c9f50103f11fc4f17e2e2bf684

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49958
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ocfs2/refcounttree.c
 	fs/ocfs2/xattr.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5c9807c523b4fca81d3e8e864dabc8c806402121
 	https://git.kernel.org/stable/c/74364cb578dcc0b6c9109519d19cbe5a56afac9a
 	https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707
 	https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1
 	https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5
 	https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f
 	https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9
 	https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4
 	https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49958: ocfs2: reserve space for inline xattr before attaching reflink tree

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ocfs2: reserve space for inline xattr before attaching reflink tree

	One of our customers reported a crash and a corrupted ocfs2 filesystem.
	The crash was due to the detection of corruption. Upon troubleshooting,
	the fsck -fn output showed the below corruption

	[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,
	but fsck believes the largest valid value is 227. Clamp the next record value? n

	The stat output from the debugfs.ocfs2 showed the following corruption
	where the "Next Free Rec:" had overshot the "Count:" in the root metadata
	block.

	Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856)
	FS Generation: 904309833 (0x35e6ac49)
	CRC32: 00000000 ECC: 0000
	Type: Regular Attr: 0x0 Flags: Valid
	Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
	Extended Attributes Block: 0 Extended Attributes Inline Size: 256
	User: 0 (root) Group: 0 (root) Size: 281320357888
	Links: 1 Clusters: 141738
	ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
	atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
	mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
	dtime: 0x0 -- Wed Dec 31 17:00:00 1969
	Refcount Block: 2777346
	Last Extblk: 2886943 Orphan Slot: 0
	Sub Alloc Slot: 0 Sub Alloc Bit: 14
	Tree Depth: 1 Count: 227 Next Free Rec: 230
	## Offset Clusters Block#
	0 0 2310 2776351
	1 2310 2139 2777375
	2 4449 1221 2778399
	3 5670 731 2779423
	4 6401 566 2780447
	....... .... .......
	....... .... .......

	The issue was in the reflink workfow while reserving space for inline
	xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the
	time this function is called the reflink tree is already recreated at the
	destination inode from the source inode. At this point, this function
	reserves space for inline xattrs at the destination inode without even
	checking if there is space at the root metadata block. It simply reduces
	the l_count from 243 to 227 thereby making space of 256 bytes for inline
	xattr whereas the inode already has extents beyond this index (in this
	case up to 230), thereby causing corruption.

	The fix for this is to reserve space for inline metadata at the destination
	inode before the reflink tree gets recreated. The customer has verified the
	fix.

	The Linux kernel CVE team has assigned CVE-2024-49958 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 4.19.323 with commit 5c9807c523b4fca81d3e8e864dabc8c806402121
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 5.4.285 with commit 74364cb578dcc0b6c9109519d19cbe5a56afac9a
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 5.10.227 with commit aac31d654a0a31cb0d2fa36ae694f4e164a52707
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 5.15.168 with commit 020f5c53c17f66c0a8f2d37dad27ace301b8d8a1
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.1.113 with commit 5c2072f02c0d75802ec28ec703b7d43a0dd008b5
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.6.55 with commit 637c00e06564a945e9d0edb3d78d362d64935f9f
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.10.14 with commit 9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.11.3 with commit 96ce4c3537114d1698be635f5e36c62dc49df7a4
	Issue introduced in 3.11 with commit ef962df057aaafd714f5c22ba3de1be459571fdf and fixed in 6.12 with commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0
	Issue introduced in 3.0.87 with commit 3a32958d2ac96070c53d04bd8e013c97b260b5e6
	Issue introduced in 3.2.49 with commit 93f26306db89c9dc37885b76a1082e6d54d23b16
	Issue introduced in 3.4.54 with commit 26a849f49fb3347d126a0ed6611173f903374ef4
	Issue introduced in 3.9.11 with commit 1e7e4c9ae2a78a6791a2ca91a6a400f94855f01e
	Issue introduced in 3.10.2 with commit 1926bf8ae44d80c9f50103f11fc4f17e2e2bf684

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49958
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ocfs2/refcounttree.c
	fs/ocfs2/xattr.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5c9807c523b4fca81d3e8e864dabc8c806402121
	https://git.kernel.org/stable/c/74364cb578dcc0b6c9109519d19cbe5a56afac9a
	https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707
	https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1
	https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5
	https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f
	https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9
	https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4
	https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0