Bug 2301468 (CVE-2024-42105)

Summary: CVE-2024-42105 kernel: nilfs2: fix inode number range checks
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.19.318, kernel 5.4.280, kernel 5.10.222, kernel 5.15.163, kernel 6.1.98, kernel 6.6.39, kernel 6.9.9, kernel 6.10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel in the nilfs2 filesystem where the first non-reserved inode number, read from the superblock, does not have proper checks on its lower limit. If this number overlaps with the inode range of reserved inodes (ex. the root directory) set in the super block parameter, the inode number test macros will not function properly. Additionally, the test macros use left bit-shift calculations with the inode number, but the result of the calculations may exceed the bit width of an integer, creating malfunctions depending on the environment. This vulnerability could result in use-after-free operations causing memory corruption or crashes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2301763    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-30 08:21:49 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix inode number range checks

Patch series "nilfs2: fix potential issues related to reserved inodes".

This series fixes one use-after-free issue reported by syzbot, caused by
nilfs2's internal inode being exposed in the namespace on a corrupted
filesystem, and a couple of flaws that cause problems if the starting
number of non-reserved inodes written in the on-disk super block is
intentionally (or corruptly) changed from its default value.  


This patch (of 3):

In the current implementation of nilfs2, "nilfs->ns_first_ino", which
gives the first non-reserved inode number, is read from the superblock,
but its lower limit is not checked.

As a result, if a number that overlaps with the inode number range of
reserved inodes such as the root directory or metadata files is set in the
super block parameter, the inode number test macros (NILFS_MDT_INODE and
NILFS_VALID_INODE) will not function properly.

In addition, these test macros use left bit-shift calculations using with
the inode number as the shift count via the BIT macro, but the result of a
shift calculation that exceeds the bit width of an integer is undefined in
the C specification, so if "ns_first_ino" is set to a large value other
than the default value NILFS_USER_INO (=11), the macros may potentially
malfunction depending on the environment.

Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and
by preventing bit shifts equal to or greater than the NILFS_USER_INO
constant in the inode number test macros.

Also, change the type of "ns_first_ino" from signed integer to unsigned
integer to avoid the need for type casting in comparisons such as the
lower bound check introduced this time.
Comment 1 Mauro Matteo Cascella 2024-07-30 18:29:26 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024073020-CVE-2024-42105-276f@gregkh/T
Comment 2 Mauro Matteo Cascella 2024-07-30 18:29:47 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2301763]