CVE-2024-26956

nilfs2: fix failure to detect DAT corruption in btree and direct mappings

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix failure to detect DAT corruption in btree and direct mappings

Patch series "nilfs2: fix kernel bug at submit_bh_wbc()".

This resolves a kernel BUG reported by syzbot. Since there are two
flaws involved, I've made each one a separate patch.

The first patch alone resolves the syzbot-reported bug, but I think
both fixes should be sent to stable, so I've tagged them as such.

This patch (of 2):

Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data
to a nilfs2 file system whose metadata is corrupted.

There are two flaws involved in this issue.

The first flaw is that when nilfs_get_block() locates a data block using
btree or direct mapping, if the disk address translation routine
nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata
corruption, it can be passed back to nilfs_get_block(). This causes
nilfs_get_block() to misidentify an existing block as non-existent,
causing both data block lookup and insertion to fail inconsistently.

The second flaw is that nilfs_get_block() returns a successful status in
this inconsistent state. This causes the caller __block_write_begin_int()
or others to request a read even though the buffer is not mapped,
resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()
failing.

This fixes the first issue by changing the return value to code -EINVAL
when a conversion using DAT fails with code -ENOENT, avoiding the
conflicting condition that leads to the kernel bug described above. Here,
code -EINVAL indicates that metadata corruption was detected during the
block lookup, which will be properly handled as a file system error and
converted to -EIO when passing through the nilfs2 bmap layer.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: corrige el error al detectar daños en DAT en btree y asignaciones directas Serie de parches "nilfs2: corrige el error del kernel en submit_bh_wbc()". Esto resuelve un ERROR del kernel informado por syzbot. Dado que hay dos fallas involucradas, hice un parche para cada uno por separado. El primer parche por sí solo resuelve el error reportado por syzbot, pero creo que ambas correcciones deberían enviarse a estable, así que las etiqueté como tales. Este parche (de 2): Syzbot ha informado de un error en el kernel en submit_bh_wbc() al escribir datos de archivos en un sistema de archivos nilfs2 cuyos metadatos están dañados. Hay dos errores involucrados en este tema. El primer defecto es que cuando nilfs_get_block() localiza un bloque de datos usando btree o mapeo directo, si la rutina de traducción de direcciones de disco nilfs_dat_translate() falla con el código interno -ENOENT debido a la corrupción de los metadatos DAT, se puede devolver a nilfs_get_block(). Esto hace que nilfs_get_block() identifique erróneamente un bloque existente como inexistente, lo que provoca que tanto la búsqueda como la inserción del bloque de datos fallen de manera inconsistente. El segundo defecto es que nilfs_get_block() devuelve un estado exitoso en este estado inconsistente. Esto hace que la persona que llama __block_write_begin_int() u otros soliciten una lectura aunque el búfer no esté asignado, lo que resulta en una verificación BUG_ON para el indicador BH_Mapped en submit_bh_wbc() que falla. Esto soluciona el primer problema cambiando el valor de retorno al código -EINVAL cuando falla una conversión usando DAT con el código -ENOENT, evitando la condición conflictiva que conduce al error del kernel descrito anteriormente. Aquí, el código -EINVAL indica que se detectó corrupción de metadatos durante la búsqueda del bloque, lo que se manejará adecuadamente como un error del sistema de archivos y se convertirá a -EIO al pasar a través de la capa bmap nilfs2.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/c3a7abf06ce719a51139e62a034590be99abbc2c	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35	2024-04-13
https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e	2024-04-13
https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb	2024-04-13
https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84	2024-04-10
https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7	2024-04-03
https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862	2024-04-03
https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713	2024-04-03
https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4	2024-04-03
https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba	2024-03-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 4.19.312 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 4.19.312"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.9"		en		Affected