CVE-2024-26956 nilfs2: fix failure to detect DAT corruption in btree and direct mappings

2024-05-0105:18:56

Linux

github.com

linux kernel

nilfs2

metadata corruption

btree

direct mapping

kernel bug

dat

corruption

patch

file system

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix failure to detect DAT corruption in btree and direct mappings

Patch series “nilfs2: fix kernel bug at submit_bh_wbc()”.

This resolves a kernel BUG reported by syzbot. Since there are two
flaws involved, I’ve made each one a separate patch.

The first patch alone resolves the syzbot-reported bug, but I think
both fixes should be sent to stable, so I’ve tagged them as such.

This patch (of 2):

Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data
to a nilfs2 file system whose metadata is corrupted.

There are two flaws involved in this issue.

The first flaw is that when nilfs_get_block() locates a data block using
btree or direct mapping, if the disk address translation routine
nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata
corruption, it can be passed back to nilfs_get_block(). This causes
nilfs_get_block() to misidentify an existing block as non-existent,
causing both data block lookup and insertion to fail inconsistently.

The second flaw is that nilfs_get_block() returns a successful status in
this inconsistent state. This causes the caller __block_write_begin_int()
or others to request a read even though the buffer is not mapped,
resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()
failing.

This fixes the first issue by changing the return value to code -EINVAL
when a conversion using DAT fails with code -ENOENT, avoiding the
conflicting condition that leads to the kernel bug described above. Here,
code -EINVAL indicates that metadata corruption was detected during the
block lookup, which will be properly handled as a file system error and
converted to -EIO when passing through the nilfs2 bmap layer.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "b67189690eb4",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "9cbe1ad5f435",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "c3b5c5c31e72",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "2e2619ff5d0d",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "46b832e09d43",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "f69e81396aea",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "a8e4d098de1c",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "82827ca21e7c",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "c3a7abf06ce7",
        "lessThan": "f2f26b4a84a0",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "fs/nilfs2/btree.c",
      "fs/nilfs2/direct.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "2.6.31"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "2.6.31",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "4.19.312",
        "versionType": "custom",
        "lessThanOrEqual": "4.19.*"
      },
      {
        "status": "unaffected",
        "version": "5.4.274",
        "versionType": "custom",
        "lessThanOrEqual": "5.4.*"
      },
      {
        "status": "unaffected",
        "version": "5.10.215",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.15.154",
        "versionType": "custom",
        "lessThanOrEqual": "5.15.*"
      },
      {
        "status": "unaffected",
        "version": "6.1.84",
        "versionType": "custom",
        "lessThanOrEqual": "6.1.*"
      },
      {
        "status": "unaffected",
        "version": "6.6.24",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.7.12",
        "versionType": "custom",
        "lessThanOrEqual": "6.7.*"
      },
      {
        "status": "unaffected",
        "version": "6.8.3",
        "versionType": "custom",
        "lessThanOrEqual": "6.8.*"
      },
      {
        "status": "unaffected",
        "version": "6.9",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "fs/nilfs2/btree.c",
      "fs/nilfs2/direct.c"
    ],
    "defaultStatus": "affected"
  }
]