cve/published/2024/CVE-2024-50006.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50006: ext4: fix i_data_sem unlock order in ext4_ind_migrate()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ext4: fix i_data_sem unlock order in ext4_ind_migrate()

 Fuzzing reports a possible deadlock in jbd2_log_wait_commit.

 This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require
 synchronous updates because the file descriptor is opened with O_SYNC.
 This can lead to the jbd2_journal_stop() function calling
 jbd2_might_wait_for_commit(), potentially causing a deadlock if the
 EXT4_IOC_MIGRATE call races with a write(2) system call.

 This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this
 case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the
 jbd2_journal_stop function while i_data_sem is locked. This triggers
 lockdep because the jbd2_journal_start function might also lock the same
 jbd2_handle simultaneously.

 Found by Linux Verification Center (linuxtesting.org) with syzkaller.

 Rule: add

 The Linux kernel CVE team has assigned CVE-2024-50006 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.323 with commit 4192adefc9c570698821c5eb9873320eac2fcbf1
 	Fixed in 5.4.285 with commit 3c46d6060d3e38de22196c1fe7706c5a3c696285
 	Fixed in 5.10.227 with commit 53b1999cfd2c7addf2e581a32865fe8835467b44
 	Fixed in 5.15.168 with commit ef05572da0c0eb89614ed01cc17d3c882bdbd1ff
 	Fixed in 6.1.113 with commit 9fedf51ab8cf7b69bff08f37fe0989fec7f5d870
 	Fixed in 6.6.55 with commit d43776b907659affef1de888525847d64b244194
 	Fixed in 6.10.14 with commit 6252cb6bde7fc76cb8dcb49d1def7c326b190820
 	Fixed in 6.11.3 with commit d58a00e981d3118b91d503da263e640b7cde6729
 	Fixed in 6.12 with commit cc749e61c011c255d81b192a822db650c68b313f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50006
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ext4/migrate.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4192adefc9c570698821c5eb9873320eac2fcbf1
 	https://git.kernel.org/stable/c/3c46d6060d3e38de22196c1fe7706c5a3c696285
 	https://git.kernel.org/stable/c/53b1999cfd2c7addf2e581a32865fe8835467b44
 	https://git.kernel.org/stable/c/ef05572da0c0eb89614ed01cc17d3c882bdbd1ff
 	https://git.kernel.org/stable/c/9fedf51ab8cf7b69bff08f37fe0989fec7f5d870
 	https://git.kernel.org/stable/c/d43776b907659affef1de888525847d64b244194
 	https://git.kernel.org/stable/c/6252cb6bde7fc76cb8dcb49d1def7c326b190820
 	https://git.kernel.org/stable/c/d58a00e981d3118b91d503da263e640b7cde6729
 	https://git.kernel.org/stable/c/cc749e61c011c255d81b192a822db650c68b313f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50006: ext4: fix i_data_sem unlock order in ext4_ind_migrate()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ext4: fix i_data_sem unlock order in ext4_ind_migrate()

	Fuzzing reports a possible deadlock in jbd2_log_wait_commit.

	This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require
	synchronous updates because the file descriptor is opened with O_SYNC.
	This can lead to the jbd2_journal_stop() function calling
	jbd2_might_wait_for_commit(), potentially causing a deadlock if the
	EXT4_IOC_MIGRATE call races with a write(2) system call.

	This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this
	case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the
	jbd2_journal_stop function while i_data_sem is locked. This triggers
	lockdep because the jbd2_journal_start function might also lock the same
	jbd2_handle simultaneously.

	Found by Linux Verification Center (linuxtesting.org) with syzkaller.

	Rule: add

	The Linux kernel CVE team has assigned CVE-2024-50006 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.323 with commit 4192adefc9c570698821c5eb9873320eac2fcbf1
	Fixed in 5.4.285 with commit 3c46d6060d3e38de22196c1fe7706c5a3c696285
	Fixed in 5.10.227 with commit 53b1999cfd2c7addf2e581a32865fe8835467b44
	Fixed in 5.15.168 with commit ef05572da0c0eb89614ed01cc17d3c882bdbd1ff
	Fixed in 6.1.113 with commit 9fedf51ab8cf7b69bff08f37fe0989fec7f5d870
	Fixed in 6.6.55 with commit d43776b907659affef1de888525847d64b244194
	Fixed in 6.10.14 with commit 6252cb6bde7fc76cb8dcb49d1def7c326b190820
	Fixed in 6.11.3 with commit d58a00e981d3118b91d503da263e640b7cde6729
	Fixed in 6.12 with commit cc749e61c011c255d81b192a822db650c68b313f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50006
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ext4/migrate.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4192adefc9c570698821c5eb9873320eac2fcbf1
	https://git.kernel.org/stable/c/3c46d6060d3e38de22196c1fe7706c5a3c696285
	https://git.kernel.org/stable/c/53b1999cfd2c7addf2e581a32865fe8835467b44
	https://git.kernel.org/stable/c/ef05572da0c0eb89614ed01cc17d3c882bdbd1ff
	https://git.kernel.org/stable/c/9fedf51ab8cf7b69bff08f37fe0989fec7f5d870
	https://git.kernel.org/stable/c/d43776b907659affef1de888525847d64b244194
	https://git.kernel.org/stable/c/6252cb6bde7fc76cb8dcb49d1def7c326b190820
	https://git.kernel.org/stable/c/d58a00e981d3118b91d503da263e640b7cde6729
	https://git.kernel.org/stable/c/cc749e61c011c255d81b192a822db650c68b313f