kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   1cfea345164be1822e047b37e20be0f8ac2ec213
  2.   patches.suse
  3.   nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch
Blob History Raw
Takashi Iwai df5c95 
From 21a87d88c2253350e115029f14fe2a10a7e6c856 Mon Sep 17 00:00:00 2001
Takashi Iwai df5c95 
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Takashi Iwai df5c95 
Date: Sun, 2 Oct 2022 12:08:04 +0900
Takashi Iwai df5c95 
Subject: [PATCH] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()
Takashi Iwai df5c95 
Git-commit: 21a87d88c2253350e115029f14fe2a10a7e6c856
Takashi Iwai df5c95 
Patch-mainline: v6.1-rc1
Takashi Iwai df5c95 
References: CVE-2022-3621 bsc#1204574
Takashi Iwai df5c95
Takashi Iwai df5c95 
If the i_mode field in inode of metadata files is corrupted on disk, it
Takashi Iwai df5c95 
can cause the initialization of bmap structure, which should have been
Takashi Iwai df5c95 
called from nilfs_read_inode_common(), not to be called.  This causes a
Takashi Iwai df5c95 
lockdep warning followed by a NULL pointer dereference at
Takashi Iwai df5c95 
nilfs_bmap_lookup_at_level().
Takashi Iwai df5c95
Takashi Iwai df5c95 
This patch fixes these issues by adding a missing sanitiy check for the
Takashi Iwai df5c95 
i_mode field of metadata file's inode.
Takashi Iwai df5c95
Takashi Iwai df5c95 
Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com
Takashi Iwai df5c95 
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Takashi Iwai df5c95 
Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com
Takashi Iwai df5c95 
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Takashi Iwai df5c95 
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Takashi Iwai df5c95 
Cc: <stable@vger.kernel.org>
Takashi Iwai df5c95 
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Takashi Iwai df5c95 
Acked-by: Takashi Iwai <tiwai@suse.de>
Takashi Iwai df5c95
Takashi Iwai df5c95 
---
Takashi Iwai df5c95 
 fs/nilfs2/inode.c | 2 ++
Takashi Iwai df5c95 
 1 file changed, 2 insertions(+)
Takashi Iwai df5c95
Takashi Iwai df5c95 
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
Takashi Iwai df5c95 
index b074144f6f83..232dd7b6cca1 100644
Takashi Iwai df5c95 
--- a/fs/nilfs2/inode.c
Takashi Iwai df5c95 
+++ b/fs/nilfs2/inode.c
Takashi Iwai df5c95 
@@ -455,6 +455,8 @@ int nilfs_read_inode_common(struct inode *inode,
Takashi Iwai df5c95 
 	inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
Takashi Iwai df5c95 
 	inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec);
Takashi Iwai df5c95 
 	inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
Takashi Iwai df5c95 
+	if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode))
Takashi Iwai df5c95 
+		return -EIO; /* this inode is for metadata and corrupted */
Takashi Iwai df5c95 
 	if (inode->i_nlink == 0)
Takashi Iwai df5c95 
 		return -ESTALE; /* this inode is deleted */
Takashi Iwai df5c95
Takashi Iwai df5c95 
--
Takashi Iwai df5c95 
2.35.3
Takashi Iwai df5c95
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.