| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-53112: ocfs2: uncache inode which has failed entering the group |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ocfs2: uncache inode which has failed entering the group |
| |
| Syzbot has reported the following BUG: |
| |
| kernel BUG at fs/ocfs2/uptodate.c:509! |
| ... |
| Call Trace: |
| <TASK> |
| ? __die_body+0x5f/0xb0 |
| ? die+0x9e/0xc0 |
| ? do_trap+0x15a/0x3a0 |
| ? ocfs2_set_new_buffer_uptodate+0x145/0x160 |
| ? do_error_trap+0x1dc/0x2c0 |
| ? ocfs2_set_new_buffer_uptodate+0x145/0x160 |
| ? __pfx_do_error_trap+0x10/0x10 |
| ? handle_invalid_op+0x34/0x40 |
| ? ocfs2_set_new_buffer_uptodate+0x145/0x160 |
| ? exc_invalid_op+0x38/0x50 |
| ? asm_exc_invalid_op+0x1a/0x20 |
| ? ocfs2_set_new_buffer_uptodate+0x2e/0x160 |
| ? ocfs2_set_new_buffer_uptodate+0x144/0x160 |
| ? ocfs2_set_new_buffer_uptodate+0x145/0x160 |
| ocfs2_group_add+0x39f/0x15a0 |
| ? __pfx_ocfs2_group_add+0x10/0x10 |
| ? __pfx_lock_acquire+0x10/0x10 |
| ? mnt_get_write_access+0x68/0x2b0 |
| ? __pfx_lock_release+0x10/0x10 |
| ? rcu_read_lock_any_held+0xb7/0x160 |
| ? __pfx_rcu_read_lock_any_held+0x10/0x10 |
| ? smack_log+0x123/0x540 |
| ? mnt_get_write_access+0x68/0x2b0 |
| ? mnt_get_write_access+0x68/0x2b0 |
| ? mnt_get_write_access+0x226/0x2b0 |
| ocfs2_ioctl+0x65e/0x7d0 |
| ? __pfx_ocfs2_ioctl+0x10/0x10 |
| ? smack_file_ioctl+0x29e/0x3a0 |
| ? __pfx_smack_file_ioctl+0x10/0x10 |
| ? lockdep_hardirqs_on_prepare+0x43d/0x780 |
| ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 |
| ? __pfx_ocfs2_ioctl+0x10/0x10 |
| __se_sys_ioctl+0xfb/0x170 |
| do_syscall_64+0xf3/0x230 |
| entry_SYSCALL_64_after_hwframe+0x77/0x7f |
| ... |
| </TASK> |
| |
| When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular |
| inode in 'ocfs2_verify_group_and_input()', corresponding buffer head |
| remains cached and subsequent call to the same 'ioctl()' for the same |
| inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying |
| to cache the same buffer head of that inode). Fix this by uncaching |
| the buffer head with 'ocfs2_remove_from_cache()' on error path in |
| 'ocfs2_group_add()'. |
| |
| The Linux kernel CVE team has assigned CVE-2024-53112 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 4.19.325 with commit ac0cfe8ac35cf1be54131b90d114087b558777ca |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 5.4.287 with commit 5ae8cc0b0c027e9cab22596049bc4dd1cbc37ee4 |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 5.10.231 with commit 28d4ed71ae0b4baedca3e85ee6d8f227ec75ebf6 |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 5.15.174 with commit 0e04746db2ec4aec04cef5763b9d9aa32829ae2f |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 6.1.119 with commit 620d22598110b0d0cb97a3fcca65fc473ea86e73 |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 6.6.63 with commit 843dfc804af4b338ead42331dd58081b428ecdf8 |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 6.11.10 with commit b751c50e19d66cfb7360c0b55cf17b0722252d12 |
| Issue introduced in 2.6.25 with commit 7909f2bf835376a20d6dbf853eb459a27566eba2 and fixed in 6.12 with commit 737f34137844d6572ab7d473c998c7f977ff30eb |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-53112 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/ocfs2/resize.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/ac0cfe8ac35cf1be54131b90d114087b558777ca |
| https://git.kernel.org/stable/c/5ae8cc0b0c027e9cab22596049bc4dd1cbc37ee4 |
| https://git.kernel.org/stable/c/28d4ed71ae0b4baedca3e85ee6d8f227ec75ebf6 |
| https://git.kernel.org/stable/c/0e04746db2ec4aec04cef5763b9d9aa32829ae2f |
| https://git.kernel.org/stable/c/620d22598110b0d0cb97a3fcca65fc473ea86e73 |
| https://git.kernel.org/stable/c/843dfc804af4b338ead42331dd58081b428ecdf8 |
| https://git.kernel.org/stable/c/b751c50e19d66cfb7360c0b55cf17b0722252d12 |
| https://git.kernel.org/stable/c/737f34137844d6572ab7d473c998c7f977ff30eb |
