Bug 2300296 (CVE-2024-41013) - CVE-2024-41013 kernel: xfs: don't walk off the end of a directory data block
Summary: CVE-2024-41013 kernel: xfs: don't walk off the end of a directory data block
Keywords:
Status: NEW
Alias: CVE-2024-41013
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2300853
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-29 07:20 UTC by OSIDB Bzimport
Modified: 2024-11-07 15:10 UTC (History)
4 users (show)

Fixed In Version: kernel 6.11-rc1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:7043 0 None None None 2024-09-24 09:43:19 UTC
Red Hat Product Errata RHBA-2024:7198 0 None None None 2024-09-26 09:49:00 UTC
Red Hat Product Errata RHBA-2024:7236 0 None None None 2024-09-26 14:37:50 UTC
Red Hat Product Errata RHBA-2024:7637 0 None None None 2024-10-03 14:46:07 UTC
Red Hat Product Errata RHBA-2024:8227 0 None None None 2024-10-17 06:46:21 UTC
Red Hat Product Errata RHBA-2024:9014 0 None None None 2024-11-07 15:10:51 UTC
Red Hat Product Errata RHSA-2024:7000 0 None None None 2024-09-24 02:34:58 UTC
Red Hat Product Errata RHSA-2024:7001 0 None None None 2024-09-24 00:39:36 UTC
Red Hat Product Errata RHSA-2024:8617 0 None None None 2024-10-30 01:26:44 UTC

Description OSIDB Bzimport 2024-07-29 07:20:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

xfs: don't walk off the end of a directory data block

This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry
to make sure don't stray beyond valid memory region. Before patching, the
loop simply checks that the start offset of the dup and dep is within the
range. So in a crafted image, if last entry is xfs_dir2_data_unused, we
can change dup->length to dup->length-1 and leave 1 byte of space. In the
next traversal, this space will be considered as dup or dep. We may
encounter an out of bound read when accessing the fixed members.

In the patch, we make sure that the remaining bytes large enough to hold
an unused entry before accessing xfs_dir2_data_unused and
xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make
sure that the remaining bytes large enough to hold a dirent with a
single-byte name before accessing xfs_dir2_data_entry.
Comment 1 Mauro Matteo Cascella 2024-07-29 19:03:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2300853]
Comment 130 errata-xmlrpc 2024-09-24 00:39:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7001 https://access.redhat.com/errata/RHSA-2024:7001
Comment 131 errata-xmlrpc 2024-09-24 02:34:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7000 https://access.redhat.com/errata/RHSA-2024:7000
Comment 132 errata-xmlrpc 2024-10-30 01:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8617 https://access.redhat.com/errata/RHSA-2024:8617
Note You need to log in before you can comment on or make changes to this bug.