cve/published/2024/CVE-2024-57892.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57892: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

 When mounting ocfs2 and then remounting it as read-only, a
 slab-use-after-free occurs after the user uses a syscall to
 quota_getnextquota.  Specifically, sb_dqinfo(sb, type)->dqi_priv is the
 dangling pointer.

 During the remounting process, the pointer dqi_priv is freed but is never
 set as null leaving it to be accessed.  Additionally, the read-only option
 for remounting sets the DQUOT_SUSPENDED flag instead of setting the
 DQUOT_USAGE_ENABLED flags.  Moreover, later in the process of getting the
 next quota, the function ocfs2_get_next_id is called and only checks the
 quota usage flags and not the quota suspended flags.

 To fix this, I set dqi_priv to null when it is freed after remounting with
 read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.

 [akpm@linux-foundation.org: coding-style cleanups]

 The Linux kernel CVE team has assigned CVE-2024-57892 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 5.4.290 with commit 58f9e20e2a7602e1dd649a1ec4790077c251cb6c
 	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 5.10.234 with commit 8ff6f635a08c30559ded0c110c7ce03ba7747d11
 	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 5.15.177 with commit f44e6d70c100614c211703f065cad448050e4a0e
 	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.1.125 with commit 2d431192486367eee03cc28d0b53b97dafcb8e63
 	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.6.70 with commit 2e3d203b1adede46bbba049e497765d67865be18
 	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.12.9 with commit ba950a02d8d23811aa1120affd3adedcfac6153d
 	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.13 with commit 5f3fd772d152229d94602bca243fbb658068a597

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57892
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ocfs2/quota_global.c
 	fs/ocfs2/quota_local.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/58f9e20e2a7602e1dd649a1ec4790077c251cb6c
 	https://git.kernel.org/stable/c/8ff6f635a08c30559ded0c110c7ce03ba7747d11
 	https://git.kernel.org/stable/c/f44e6d70c100614c211703f065cad448050e4a0e
 	https://git.kernel.org/stable/c/2d431192486367eee03cc28d0b53b97dafcb8e63
 	https://git.kernel.org/stable/c/2e3d203b1adede46bbba049e497765d67865be18
 	https://git.kernel.org/stable/c/ba950a02d8d23811aa1120affd3adedcfac6153d
 	https://git.kernel.org/stable/c/5f3fd772d152229d94602bca243fbb658068a597
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57892: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

	When mounting ocfs2 and then remounting it as read-only, a
	slab-use-after-free occurs after the user uses a syscall to
	quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
	dangling pointer.

	During the remounting process, the pointer dqi_priv is freed but is never
	set as null leaving it to be accessed. Additionally, the read-only option
	for remounting sets the DQUOT_SUSPENDED flag instead of setting the
	DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the
	next quota, the function ocfs2_get_next_id is called and only checks the
	quota usage flags and not the quota suspended flags.

	To fix this, I set dqi_priv to null when it is freed after remounting with
	read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.

	[akpm@linux-foundation.org: coding-style cleanups]

	The Linux kernel CVE team has assigned CVE-2024-57892 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 5.4.290 with commit 58f9e20e2a7602e1dd649a1ec4790077c251cb6c
	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 5.10.234 with commit 8ff6f635a08c30559ded0c110c7ce03ba7747d11
	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 5.15.177 with commit f44e6d70c100614c211703f065cad448050e4a0e
	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.1.125 with commit 2d431192486367eee03cc28d0b53b97dafcb8e63
	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.6.70 with commit 2e3d203b1adede46bbba049e497765d67865be18
	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.12.9 with commit ba950a02d8d23811aa1120affd3adedcfac6153d
	Issue introduced in 4.6 with commit 8f9e8f5fcc059a3cba87ce837c88316797ef3645 and fixed in 6.13 with commit 5f3fd772d152229d94602bca243fbb658068a597

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57892
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ocfs2/quota_global.c
	fs/ocfs2/quota_local.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/58f9e20e2a7602e1dd649a1ec4790077c251cb6c
	https://git.kernel.org/stable/c/8ff6f635a08c30559ded0c110c7ce03ba7747d11
	https://git.kernel.org/stable/c/f44e6d70c100614c211703f065cad448050e4a0e
	https://git.kernel.org/stable/c/2d431192486367eee03cc28d0b53b97dafcb8e63
	https://git.kernel.org/stable/c/2e3d203b1adede46bbba049e497765d67865be18
	https://git.kernel.org/stable/c/ba950a02d8d23811aa1120affd3adedcfac6153d
	https://git.kernel.org/stable/c/5f3fd772d152229d94602bca243fbb658068a597