CVE-2023-52900

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix general protection fault in nilfs_btree_insert()<br /> <br /> If nilfs2 reads a corrupted disk image and tries to reads a b-tree node<br /> block by calling __nilfs_btree_get_block() against an invalid virtual<br /> block address, it returns -ENOENT because conversion of the virtual block<br /> address to a disk block address fails. However, this return value is the<br /> same as the internal code that b-tree lookup routines return to indicate<br /> that the block being searched does not exist, so functions that operate on<br /> that b-tree may misbehave.<br /> <br /> When nilfs_btree_insert() receives this spurious &amp;#39;not found&amp;#39; code from<br /> nilfs_btree_do_lookup(), it misunderstands that the &amp;#39;not found&amp;#39; check was<br /> successful and continues the insert operation using incomplete lookup path<br /> data, causing the following crash:<br /> <br /> general protection fault, probably for non-canonical address<br /> 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]<br /> ...<br /> RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]<br /> RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]<br /> RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238<br /> Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89<br /> ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 80 3c<br /> 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02<br /> ...<br /> Call Trace:<br /> <br /> nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]<br /> nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147<br /> nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101<br /> __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991<br /> __block_write_begin fs/buffer.c:2041 [inline]<br /> block_write_begin+0x93/0x1e0 fs/buffer.c:2102<br /> nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261<br /> generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772<br /> __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900<br /> generic_file_write_iter+0xab/0x310 mm/filemap.c:3932<br /> call_write_iter include/linux/fs.h:2186 [inline]<br /> new_sync_write fs/read_write.c:491 [inline]<br /> vfs_write+0x7dc/0xc50 fs/read_write.c:584<br /> ksys_write+0x177/0x2a0 fs/read_write.c:637<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> ...<br /> <br /> <br /> This patch fixes the root cause of this problem by replacing the error<br /> code that __nilfs_btree_get_block() returns on block address conversion<br /> failure from -ENOENT to another internal code -EINVAL which means that the<br /> b-tree metadata is corrupted.<br /> <br /> By returning -EINVAL, it propagates without glitches, and for all relevant<br /> b-tree operations, functions in the upper bmap layer output an error<br /> message indicating corrupted b-tree metadata via<br /> nilfs_bmap_convert_error(), and code -EIO will be eventually returned as<br /> it should be.