416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2024-26956CVE-2024-26956
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
Patch series “nilfs2: fix kernel bug at submit_bh_wbc()”.
This resolves a kernel BUG reported by syzbot. Since there are two
flaws involved, I’ve made each one a separate patch.
The first patch alone resolves the syzbot-reported bug, but I think
both fixes should be sent to stable, so I’ve tagged them as such.
This patch (of 2):
Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data
to a nilfs2 file system whose metadata is corrupted.
There are two flaws involved in this issue.
The first flaw is that when nilfs_get_block() locates a data block using
btree or direct mapping, if the disk address translation routine
nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata
corruption, it can be passed back to nilfs_get_block(). This causes
nilfs_get_block() to misidentify an existing block as non-existent,
causing both data block lookup and insertion to fail inconsistently.
The second flaw is that nilfs_get_block() returns a successful status in
this inconsistent state. This causes the caller __block_write_begin_int()
or others to request a read even though the buffer is not mapped,
resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()
failing.
This fixes the first issue by changing the return value to code -EINVAL
when a conversion using DAT fails with code -ENOENT, avoiding the
conflicting condition that leads to the kernel bug described above. Here,
code -EINVAL indicates that metadata corruption was detected during the
block lookup, which will be properly handled as a file system error and
converted to -EIO when passing through the nilfs2 bmap layer.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
CNA Affected
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/nilfs2/btree.c",
"fs/nilfs2/direct.c"
],
"versions": [
{
"version": "c3a7abf06ce7",
"lessThan": "b67189690eb4",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "9cbe1ad5f435",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "c3b5c5c31e72",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "2e2619ff5d0d",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "46b832e09d43",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "f69e81396aea",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "a8e4d098de1c",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "82827ca21e7c",
"status": "affected",
"versionType": "git"
},
{
"version": "c3a7abf06ce7",
"lessThan": "f2f26b4a84a0",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/nilfs2/btree.c",
"fs/nilfs2/direct.c"
],
"versions": [
{
"version": "2.6.31",
"status": "affected"
},
{
"version": "0",
"lessThan": "2.6.31",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.312",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.274",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.215",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.154",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.1.84",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.24",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.7.12",
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.8.3",
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]References
git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84
git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7
git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4
git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e
git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713
git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35
git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb
git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba
git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862
lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Related
