CVE-2023-52848

f2fs: fix to drop meta_inode's page cache in f2fs_put_super()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to drop meta_inode's page cache in f2fs_put_super()

syzbot reports a kernel bug as below:

F2FS-fs (loop1): detect filesystem reference count leak during umount, type: 10, count: 1
kernel BUG at fs/f2fs/super.c:1639!
CPU: 0 PID: 15451 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-09338-ge0152e7481c6 #0
RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639
Call Trace:
generic_shutdown_super+0x161/0x3c0 fs/super.c:693
kill_block_super+0x3b/0x70 fs/super.c:1646
kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879
deactivate_locked_super+0x9a/0x170 fs/super.c:481
deactivate_super+0xde/0x100 fs/super.c:514
cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254
task_work_run+0x14d/0x240 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

In f2fs_put_super(), it tries to do sanity check on dirty and IO
reference count of f2fs, once there is any reference count leak,
it will trigger panic.

The root case is, during f2fs_put_super(), if there is any IO error
in f2fs_wait_on_all_pages(), we missed to truncate meta_inode's page
cache later, result in panic, fix this case.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: f2fs: corrección para eliminar el caché de la página de meta_inode en f2fs_put_super() syzbot informa un error en el kernel como se muestra a continuación: F2FS-fs (loop1): detecta pérdida del recuento de referencias del sistema de archivos durante el desmontaje, escriba: 10 , recuento: ¡1 BUG del kernel en fs/f2fs/super.c:1639! CPU: 0 PID: 15451 Comm: syz-executor.1 No contaminado 6.5.0-syzkaller-09338-ge0152e7481c6 #0 RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639 Seguimiento de llamadas: generic_shutdown_super+0x161 /0x3c0 fs/super.c:693 kill_block_super+0x3b/0x70 fs/super.c:1646 kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879 deactivate_locked_super+0x9a/0x170 fs/super.c:481 deactivate_super+0xde /0x100 fs/super.c:514 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254 task_work_run+0x14d/0x240 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [en línea] exit_to_user_mode_loop kernel/entry /common.c:171 [en línea] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [en línea] syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 Entry_SYSCALL_64_after_hwframe+0x63/0xcd En f2fs_put_super(), intenta realizar una verificación de cordura en el recuento de referencias sucias y de IO de f2fs, una vez que hay alguna fuga en el recuento de referencias, provocará pánico. El caso raíz es que, durante f2fs_put_super(), si hay algún error de IO en f2fs_wait_on_all_pages(), no pudimos truncar el caché de la página de meta_inode más tarde, lo que generó pánico, solucionemos este caso.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/20872584b8c0b006c007da9588a272c9e28d2e18	Vuln. Introduced
https://git.kernel.org/stable/c/0e2577074b459bba7f4016f4d725ede37d48bb22	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/eb42e1862aa7934c2c21890097ce4993c5e0d192	2023-11-20
https://git.kernel.org/stable/c/10b2a6c0dade67b5a2b2d17fb75c457ea1985fad	2023-11-20
https://git.kernel.org/stable/c/a4639380bbe66172df329f8b54aa7d2e943f0f64	2023-09-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.5.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.5.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.4.16 Search vendor "Linux" for product "Linux Kernel" and version "6.4.16"		en		Affected