In the Linux kernel, the following vulnerability has been resolved: nilfs2:
fix underflow in second superblock position calculations Macro
NILFS_SB2_OFFSET_BYTES, which computes the position of the second
superblock, underflows when the argument device size is less than 4096
bytes. Therefore, when using this macro, it is necessary to check in
advance that the device size is not less than a lower limit, or at least
that underflow does not occur. The current nilfs2 implementation lacks this
check, causing out-of-bound block access when mounting devices smaller than
4096 bytes: I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ)
flags 0x0 phys_seg 1 prio class 2 NILFS (loop0): unable to read secondary
superblock (blocksize = 1024) In addition, when trying to resize the
filesystem to a size below 4096 bytes, this underflow occurs in
nilfs_resize_fs(), passing a huge number of segments to
nilfs_sufile_resize(), corrupting parameters such as the number of segments
in superblocks. This causes excessive loop iterations in
nilfs_sufile_resize() during a subsequent resize ioctl, causing semaphore
ns_segctor_sem to block for a long time and hang the writer thread: INFO:
task segctord:5067 blocked for more than 143 seconds. Not tainted
6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 “echo 0 >
/proc/sys/kernel/hung_task_timeout_secs” disables this message.
task:segctord state:D stack:23456 pid:5067 ppid:2 flags:0x00004000 Call
Trace: <TASK> context_switch kernel/sched/core.c:5293 [inline]
__schedule+0x1409/0x43f0 kernel/sched/core.c:6606 schedule+0xc3/0x190
kernel/sched/core.c:6682 rwsem_down_write_slowpath+0xfcf/0x14a0
kernel/locking/rwsem.c:1190 nilfs_transaction_lock+0x25c/0x4f0
fs/nilfs2/segment.c:357 nilfs_segctor_thread_construct
fs/nilfs2/segment.c:2486 [inline] nilfs_segctor_thread+0x52f/0x1140
fs/nilfs2/segment.c:2570 kthread+0x270/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> … Call
Trace: <TASK> folio_mark_accessed+0x51c/0xf00 mm/swap.c:515
__nilfs_get_page_block fs/nilfs2/page.c:42 [inline]
nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61
nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121
nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176
nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251
nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]
nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]
nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777
nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 nilfs_ioctl_resize
fs/nilfs2/ioctl.c:1033 [inline] nilfs_ioctl+0x137c/0x2440
fs/nilfs2/ioctl.c:1301 … This fixes these issues by inserting appropriate
minimum device size checks or anti-underflow checks, depending on where the
macro is used.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws-hwe | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
git.kernel.org/linus/99b9402a36f0799f25feee4465bfa4b8dfa74b4d (6.2)
git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5
git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b
git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f
git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d
git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205
git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4
git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff
launchpad.net/bugs/cve/CVE-2023-52705
nvd.nist.gov/vuln/detail/CVE-2023-52705
security-tracker.debian.org/tracker/CVE-2023-52705
www.cve.org/CVERecord?id=CVE-2023-52705