cve/published/2024/CVE-2024-50202.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50202: nilfs2: propagate directory read errors from nilfs_find_entry()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: propagate directory read errors from nilfs_find_entry()

 Syzbot reported that a task hang occurs in vcs_open() during a fuzzing
 test for nilfs2.

 The root cause of this problem is that in nilfs_find_entry(), which
 searches for directory entries, ignores errors when loading a directory
 page/folio via nilfs_get_folio() fails.

 If the filesystem images is corrupted, and the i_size of the directory
 inode is large, and the directory page/folio is successfully read but
 fails the sanity check, for example when it is zero-filled,
 nilfs_check_folio() may continue to spit out error messages in bursts.

 Fix this issue by propagating the error to the callers when loading a
 page/folio fails in nilfs_find_entry().

 The current interface of nilfs_find_entry() and its callers is outdated
 and cannot propagate error codes such as -EIO and -ENOMEM returned via
 nilfs_find_entry(), so fix it together.

 The Linux kernel CVE team has assigned CVE-2024-50202 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 4.19.323 with commit bb857ae1efd3138c653239ed1e7aef14e1242c81
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.4.285 with commit b4b3dc9e7e604be98a222e9f941f5e93798ca475
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.10.228 with commit c1d0476885d708a932980b0f28cd90d9bd71db39
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.15.169 with commit edf8146057264191d5bfe5b91773f13d936dadd3
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.1.114 with commit 270a6f9df35fa2aea01ec23770dc9b3fc9a12989
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.6.58 with commit 9698088ac7704e260f492d9c254e29ed7dd8729a
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.11.5 with commit efa810b15a25531cbc2f527330947b9fe16916e7
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.12 with commit 08cfa12adf888db98879dbd735bc741360a34168

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50202
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nilfs2/dir.c
 	fs/nilfs2/namei.c
 	fs/nilfs2/nilfs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bb857ae1efd3138c653239ed1e7aef14e1242c81
 	https://git.kernel.org/stable/c/b4b3dc9e7e604be98a222e9f941f5e93798ca475
 	https://git.kernel.org/stable/c/c1d0476885d708a932980b0f28cd90d9bd71db39
 	https://git.kernel.org/stable/c/edf8146057264191d5bfe5b91773f13d936dadd3
 	https://git.kernel.org/stable/c/270a6f9df35fa2aea01ec23770dc9b3fc9a12989
 	https://git.kernel.org/stable/c/9698088ac7704e260f492d9c254e29ed7dd8729a
 	https://git.kernel.org/stable/c/efa810b15a25531cbc2f527330947b9fe16916e7
 	https://git.kernel.org/stable/c/08cfa12adf888db98879dbd735bc741360a34168
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50202: nilfs2: propagate directory read errors from nilfs_find_entry()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nilfs2: propagate directory read errors from nilfs_find_entry()

	Syzbot reported that a task hang occurs in vcs_open() during a fuzzing
	test for nilfs2.

	The root cause of this problem is that in nilfs_find_entry(), which
	searches for directory entries, ignores errors when loading a directory
	page/folio via nilfs_get_folio() fails.

	If the filesystem images is corrupted, and the i_size of the directory
	inode is large, and the directory page/folio is successfully read but
	fails the sanity check, for example when it is zero-filled,
	nilfs_check_folio() may continue to spit out error messages in bursts.

	Fix this issue by propagating the error to the callers when loading a
	page/folio fails in nilfs_find_entry().

	The current interface of nilfs_find_entry() and its callers is outdated
	and cannot propagate error codes such as -EIO and -ENOMEM returned via
	nilfs_find_entry(), so fix it together.

	The Linux kernel CVE team has assigned CVE-2024-50202 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 4.19.323 with commit bb857ae1efd3138c653239ed1e7aef14e1242c81
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.4.285 with commit b4b3dc9e7e604be98a222e9f941f5e93798ca475
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.10.228 with commit c1d0476885d708a932980b0f28cd90d9bd71db39
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.15.169 with commit edf8146057264191d5bfe5b91773f13d936dadd3
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.1.114 with commit 270a6f9df35fa2aea01ec23770dc9b3fc9a12989
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.6.58 with commit 9698088ac7704e260f492d9c254e29ed7dd8729a
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.11.5 with commit efa810b15a25531cbc2f527330947b9fe16916e7
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.12 with commit 08cfa12adf888db98879dbd735bc741360a34168

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50202
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nilfs2/dir.c
	fs/nilfs2/namei.c
	fs/nilfs2/nilfs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bb857ae1efd3138c653239ed1e7aef14e1242c81
	https://git.kernel.org/stable/c/b4b3dc9e7e604be98a222e9f941f5e93798ca475
	https://git.kernel.org/stable/c/c1d0476885d708a932980b0f28cd90d9bd71db39
	https://git.kernel.org/stable/c/edf8146057264191d5bfe5b91773f13d936dadd3
	https://git.kernel.org/stable/c/270a6f9df35fa2aea01ec23770dc9b3fc9a12989
	https://git.kernel.org/stable/c/9698088ac7704e260f492d9c254e29ed7dd8729a
	https://git.kernel.org/stable/c/efa810b15a25531cbc2f527330947b9fe16916e7
	https://git.kernel.org/stable/c/08cfa12adf888db98879dbd735bc741360a34168