* CVE-2024-26871: f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
@ 2024-04-17 10:28 Greg Kroah-Hartman
0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2024-04-17 10:28 UTC (permalink / raw)
To: linux-cve-announce; +Cc: Greg Kroah-Hartman
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
BUG: kernel NULL pointer dereference, address: 0000000000000014
RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs]
Call Trace:
<TASK>
? show_regs+0x6e/0x80
? __die+0x29/0x70
? page_fault_oops+0x154/0x4a0
? prb_read_valid+0x20/0x30
? __irq_work_queue_local+0x39/0xd0
? irq_work_queue+0x36/0x70
? do_user_addr_fault+0x314/0x6c0
? exc_page_fault+0x7d/0x190
? asm_exc_page_fault+0x2b/0x30
? f2fs_submit_page_write+0x6cf/0x780 [f2fs]
? f2fs_submit_page_write+0x736/0x780 [f2fs]
do_write_page+0x50/0x170 [f2fs]
f2fs_outplace_write_data+0x61/0xb0 [f2fs]
f2fs_do_write_data_page+0x3f8/0x660 [f2fs]
f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs]
f2fs_write_cache_pages+0x3da/0xbe0 [f2fs]
...
It is possible that other threads have added this fio to io->bio
and submitted the io->bio before entering f2fs_submit_page_write().
At this point io->bio = NULL.
If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true,
then an NULL pointer dereference error occurs at bio_get(io->bio).
The original code for determining zone end was after "out:",
which would have missed some fio who is zone end. I've moved
this code before "skip:" to make sure it's done for each fio.
The Linux kernel CVE team has assigned CVE-2024-26871 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.5 with commit e067dc3c6b9c and fixed in 6.6.23 with commit 8e2ea8b04cb8
Issue introduced in 6.5 with commit e067dc3c6b9c and fixed in 6.7.11 with commit 4c122a32582b
Issue introduced in 6.5 with commit e067dc3c6b9c and fixed in 6.8.2 with commit 6d102382a11d
Issue introduced in 6.5 with commit e067dc3c6b9c and fixed in 6.9-rc1 with commit c2034ef6192a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-26871
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/f2fs/data.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/8e2ea8b04cb8d976110c4568509e67d6a39b2889
https://git.kernel.org/stable/c/4c122a32582b67bdd44ca8d25f894ee2dc54f566
https://git.kernel.org/stable/c/6d102382a11d5e6035f6c98f6e508a38541f7af3
https://git.kernel.org/stable/c/c2034ef6192a65a986a45c2aa2ed05824fdc0e9f
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-04-17 10:31 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-17 10:28 CVE-2024-26871: f2fs: fix NULL pointer dereference in f2fs_submit_page_write() Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).