Ubuntu.comUB:CVE-2023-52604CVE-2023-52604
In the Linux kernel, the following vulnerability has been resolved:
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Syzkaller reported the
following issue: UBSAN: array-index-out-of-bounds in
fs/jfs/jfs_dmap.c:2867:6 index 196694 is out of range for type ‘s8[1365]’
(aka ‘signed char[1365]’) CPU: 1 PID: 109 Comm: jfsCommit Not tainted
6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google
Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack
lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0
lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0
fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650
fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370
kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK>
Kernel panic - not syncing: UBSAN: panic_on_warn set … CPU: 1 PID: 109
Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google
Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call
Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 panic+0x30f/0x770
kernel/panic.c:340 check_panic_on_warn+0x82/0xa0 kernel/panic.c:236
ubsan_epilogue lib/ubsan.c:223 [inline]
__ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348
dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0
fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650
fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370
kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> Kernel
Offset: disabled Rebooting in 86400 seconds… The issue is caused when the
value of lp becomes greater than CTLTREESIZE which is the max size of
stree. Adding a simple check solves this issue. Dave: As the function
returns a void, good error handling would require a more intrusive code
reorganization, so I modified Osama’s patch at use WARN_ON_ONCE for lack of
a cleaner option. The patch is tested via syzbot.
Bugs
- <https://bugzilla.redhat.com/show_bug.cgi?id=2268297>
- <https://bugzilla.suse.com/show_bug.cgi?id=1221067>
Notes
| Author | Note |
|---|---|
| sbeattie | the added check that “fixes” this issue gets removed as part of the commit that fixes CVE-2023-52601, 74ecdda68242 (“jfs: fix array-index-out-of-bounds in dbAdjTree”) |
| cengizcan | the fix to CVE-2023-52601 also fixes this. |
| rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | linux | < 4.15.0-225.237 | UNKNOWN |
| ubuntu | 20.04 | noarch | linux | < 5.4.0-181.201 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux | < 5.15.0-106.116 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux | < 6.5.0-35.35 | UNKNOWN |
| ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 16.04 | noarch | linux | < 4.4.0-254.288 | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-aws | < 4.15.0-1168.181 | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1124.134 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1061.67 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1020.20 | UNKNOWN |
References
git.kernel.org/linus/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68 (6.8-rc1)
git.kernel.org/stable/c/42f433785f108893de0dd5260bafb85d7d51db03
git.kernel.org/stable/c/59342822276f753e49d27ef5eebffbba990572b9
git.kernel.org/stable/c/6a44065dd604972ec1fbcccbdc4a70d266a89cdd
git.kernel.org/stable/c/6fe8b702125aeee6ce83f20092a2341446704e7b
git.kernel.org/stable/c/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68
git.kernel.org/stable/c/98f9537fe61b8382b3cc5dd97347531698517c56
git.kernel.org/stable/c/de34de6e57bbbc868e4fcf9e98c76b3587cabb0b
git.kernel.org/stable/c/e3e95c6850661c77e6dab079d9b5374a618ebb15
launchpad.net/bugs/cve/CVE-2023-52604
nvd.nist.gov/vuln/detail/CVE-2023-52604
security-tracker.debian.org/tracker/CVE-2023-52604
ubuntu.com/security/notices/USN-6688-1
ubuntu.com/security/notices/USN-6766-1
ubuntu.com/security/notices/USN-6766-2
ubuntu.com/security/notices/USN-6766-3
ubuntu.com/security/notices/USN-6767-1
ubuntu.com/security/notices/USN-6767-2
ubuntu.com/security/notices/USN-6774-1
ubuntu.com/security/notices/USN-6777-1
ubuntu.com/security/notices/USN-6777-2
ubuntu.com/security/notices/USN-6777-3
ubuntu.com/security/notices/USN-6777-4
ubuntu.com/security/notices/USN-6778-1
ubuntu.com/security/notices/USN-6795-1
ubuntu.com/security/notices/USN-6828-1
www.cve.org/CVERecord?id=CVE-2023-52604
Related
