CVE-2024-39467 f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()

2024-06-2514:25:05

Linux

github.com

linux kernel

vulnerability

f2fs

sanity check

kasan

bug report

fiemap

compute engine

cve

AI Score

6.2

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()

syzbot reports a kernel bug as below:

F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4

BUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]
BUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]
BUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600
Read of size 1 at addr ffff88807a58c76c by task syz-executor280/5076

CPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]
current_nat_addr fs/f2fs/node.h:213 [inline]
f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600
f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]
f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925
ioctl_fiemap fs/ioctl.c:220 [inline]
do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838
__do_sys_ioctl fs/ioctl.c:902 [inline]
__se_sys_ioctl+0x81/0x170 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is we missed to do sanity check on i_xattr_nid during
f2fs_iget(), so that in fiemap() path, current_nat_addr() will access
nat_bitmap w/ offset from invalid i_xattr_nid, result in triggering
kasan bug report, fix it.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "c559a8d84056",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "75c87e2ac614",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "1640dcf383cd",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "8c8aa473fe6e",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "be0155202e43",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "68e3cd4ecb86",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "20faaf30e555",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "fs/f2fs/inode.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "unaffected",
        "version": "5.4.278",
        "versionType": "custom",
        "lessThanOrEqual": "5.4.*"
      },
      {
        "status": "unaffected",
        "version": "5.10.219",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.15.161",
        "versionType": "custom",
        "lessThanOrEqual": "5.15.*"
      },
      {
        "status": "unaffected",
        "version": "6.1.94",
        "versionType": "custom",
        "lessThanOrEqual": "6.1.*"
      },
      {
        "status": "unaffected",
        "version": "6.6.34",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.9.5",
        "versionType": "custom",
        "lessThanOrEqual": "6.9.*"
      },
      {
        "status": "unaffected",
        "version": "6.10",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "fs/f2fs/inode.c"
    ],
    "defaultStatus": "affected"
  }
]