CVE-2024-49881 – ext4: update orig_path in ext4_find_extent()
https://notcve.org/view.php?id=CVE-2024-49881
In the Linux kernel, the following vulnerability has been resolved: ext4: update orig_path in ext4_find_extent() In ext4_find_extent(), if the path is not big enough, we free it and set *orig_path to NULL. But after reallocating and successfully initializing the path, we don't update *orig_path, in which case the caller gets a valid path but a NULL ppath, and this may cause a NULL pointer dereference or a path memory leak. For example: ext4_split_extent path = *ppath = 2000 ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path = 2000); *orig_path = path = NULL; path = kcalloc() = 3000 ext4_split_extent_at(*ppath = NULL) path = *ppath; ex = path[depth].p_ext; // NULL pointer dereference! ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847 RIP: 0010:ext4_split_extent_at+0x6d/0x560 Call Trace: <TASK> ext4_split_extent.isra.0+0xcb/0x1b0 ext4_ext_convert_to_initialized+0x168/0x6c0 ext4_ext_handle_unwritten_extents+0x325/0x4d0 ext4_ext_map_blocks+0x520/0xdb0 ext4_map_blocks+0x2b0/0x690 ext4_iomap_begin+0x20e/0x2c0 [...] ================================================================== Therefore, *orig_path is updated when the extent lookup succeeds, so that the caller can safely use path or *ppath. • https://git.kernel.org/stable/c/10809df84a4d868db61af621bae3658494165279 https://git.kernel.org/stable/c/ec0c0beb9b777cdd1edd7df9b36e0f3e67e2bdff https://git.kernel.org/stable/c/6766937d0327000ac1b87c97bbecdd28b0dd6599 https://git.kernel.org/stable/c/a9fcb1717d75061d3653ed69365c8d45331815cd https://git.kernel.org/stable/c/6801ed1298204d16a38571091e31178bfdc3c679 https://git.kernel.org/stable/c/f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2 https://git.kernel.org/stable/c/b63481b3a388ee2df9e295f97273226140422a42 https://git.kernel.org/stable/c/11b230100d6801c014fab2afabc8bdea3 •
CVE-2024-49880 – ext4: fix off by one issue in alloc_flex_gd()
https://notcve.org/view.php?id=CVE-2024-49880
In the Linux kernel, the following vulnerability has been resolved: ext4: fix off by one issue in alloc_flex_gd() Wesley reported an issue: ================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0x99/0xd0 x64_sys_call+0x1206/0x20d0 do_syscall_64+0x72/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== While reviewing the patch, Honza found that when adjusting resize_bg in alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than flexbg_size. The reproduction of the problem requires the following: o_group = flexbg_size * 2 * n; o_size = (o_group + 1) * group_size; n_group: [o_group + flexbg_size, o_group + flexbg_size * 2) o_size = (n_group + 1) * group_size; Take n=0,flexbg_size=16 as an example: last:15 |o---------------|--------------n-| o_group:0 resize to n_group:30 The corresponding reproducer is: img=test.img rm -f $img truncate -s 600M $img mkfs.ext4 -F $img -b 1024 -G 16 8M dev=`losetup -f --show $img` mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 248M Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE() to prevent the issue from happening again. [ Note: another reproucer which this commit fixes is: img=test.img rm -f $img truncate -s 25MiB $img mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img truncate -s 3GiB $img dev=`losetup -f --show $img` mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 3G umount $dev losetup -d $dev -- TYT ] • https://git.kernel.org/stable/c/665d3e0af4d35acf9a5f58dfd471bc27dbf55880 https://git.kernel.org/stable/c/0d80d2b8bf613398baf7185009e35f9d0459ecb0 https://git.kernel.org/stable/c/acb559d6826116cc113598640d105094620c2526 https://git.kernel.org/stable/c/6121258c2b33ceac3d21f6a221452692c465df88 •
CVE-2024-49879 – drm: omapdrm: Add missing check for alloc_ordered_workqueue
https://notcve.org/view.php?id=CVE-2024-49879
In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. • https://git.kernel.org/stable/c/2f95bc6d324a93b2411bcc5defe4d4414c45f325 https://git.kernel.org/stable/c/c17a4f52fa3c3dac2dd6a3c38f2de7342d97d74c https://git.kernel.org/stable/c/2bda89735199683b03f55b807bd1e31a3857520b https://git.kernel.org/stable/c/e60b0d3b5aa2e8d934deca9e11215af84e632bc9 https://git.kernel.org/stable/c/f37a1d9e5e22d5489309c3cd2db476dcdcc6530c https://git.kernel.org/stable/c/b57b53e8ffcdfda87d954fc4187426a54fe75a3d https://git.kernel.org/stable/c/0d71916694aceb207fefecf62dfa811ec1108bbd https://git.kernel.org/stable/c/334de68eda2b99892ba869c15cb59bc95 •
CVE-2024-49878 – resource: fix region_intersects() vs add_memory_driver_managed()
https://notcve.org/view.php?id=CVE-2024-49878
In the Linux kernel, the following vulnerability has been resolved: resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". • https://git.kernel.org/stable/c/c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 https://git.kernel.org/stable/c/333fbaf6864a4ca031367eb947961a1f3484d337 https://git.kernel.org/stable/c/1d5f85f1b7db79c75c9e07d6571ce2a7bdf725c4 https://git.kernel.org/stable/c/8a6fef7d22a1d952aed68584d3fcc0d018d2bdc3 https://git.kernel.org/stable/c/4b90d2eb451b357681063ba4552b10b39d7ad885 https://git.kernel.org/stable/c/393331e16ce205e036e58b3d8ca4ee2e635f21d9 https://git.kernel.org/stable/c/06ff97a20b8c9e9d256b0d2c3e87f78f8ccea3de https://git.kernel.org/stable/c/927abc5b7d6d2c2e936bec5a2f71d9512 •
CVE-2024-49877 – ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
https://notcve.org/view.php?id=CVE-2024-49877
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if bh is NULL. • https://git.kernel.org/stable/c/6c150df9c2e80b5cf86f5a0d98beb7390ad63bfc https://git.kernel.org/stable/c/cf76c78595ca87548ca5e45c862ac9e0949c4687 https://git.kernel.org/stable/c/01f93d5e36753fc4d06ec67f05ce78c9c6f2dd56 https://git.kernel.org/stable/c/65cbd1279f4b999d56a838344a30642db24cd215 https://git.kernel.org/stable/c/97e1db17bc1ef4c2e1789bc9323c7be44fba53f8 https://git.kernel.org/stable/c/190d98bcd61117a78fe185222d162180f061a6ca https://git.kernel.org/stable/c/e68c8323355e8cedfbe0bec7d5a39009f61640b6 https://git.kernel.org/stable/c/61b84013e560382cbe7dd56758be3154d •