2297535 – (CVE-2024-40951) CVE-2024-40951 kernel: ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

Bug 2297535 (CVE-2024-40951) - CVE-2024-40951 kernel: ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

Summary: CVE-2024-40951 kernel: ocfs2: fix NULL pointer dereference in ocfs2_abort_tri...

Keywords:
Status:	NEW
Alias:	CVE-2024-40951
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-12 13:39 UTC by OSIDB Bzimport
Modified:	2024-09-27 17:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel 6.6.36, kernel 6.9.7, kernel 6.10-rc5
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-12 13:39:05 UTC

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

bdev->bd_super has been removed and commit 8887b94d9322 change the usage
from bdev->bd_super to b_assoc_map->host->i_sb.  Since ocfs2 hasn't set
bh->b_assoc_map, it will trigger NULL pointer dereference when calling
into ocfs2_abort_trigger().

Actually this was pointed out in history, see commit 74e364ad1b13.  But
I've made a mistake when reviewing commit 8887b94d9322 and then
re-introduce this regression.

Since we cannot revive bdev in buffer head, so fix this issue by
initializing all types of ocfs2 triggers when fill super, and then get the
specific ocfs2 trigger from ocfs2_caching_info when access journal.

[joseph.qi.com: v2]
  Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com

Note You need to log in before you can comment on or make changes to this bug.