CVE-2024-42105

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix inode number range checks<br /> <br /> Patch series "nilfs2: fix potential issues related to reserved inodes".<br /> <br /> This series fixes one use-after-free issue reported by syzbot, caused by<br /> nilfs2&amp;#39;s internal inode being exposed in the namespace on a corrupted<br /> filesystem, and a couple of flaws that cause problems if the starting<br /> number of non-reserved inodes written in the on-disk super block is<br /> intentionally (or corruptly) changed from its default value. <br /> <br /> <br /> This patch (of 3):<br /> <br /> In the current implementation of nilfs2, "nilfs-&gt;ns_first_ino", which<br /> gives the first non-reserved inode number, is read from the superblock,<br /> but its lower limit is not checked.<br /> <br /> As a result, if a number that overlaps with the inode number range of<br /> reserved inodes such as the root directory or metadata files is set in the<br /> super block parameter, the inode number test macros (NILFS_MDT_INODE and<br /> NILFS_VALID_INODE) will not function properly.<br /> <br /> In addition, these test macros use left bit-shift calculations using with<br /> the inode number as the shift count via the BIT macro, but the result of a<br /> shift calculation that exceeds the bit width of an integer is undefined in<br /> the C specification, so if "ns_first_ino" is set to a large value other<br /> than the default value NILFS_USER_INO (=11), the macros may potentially<br /> malfunction depending on the environment.<br /> <br /> Fix these issues by checking the lower bound of "nilfs-&gt;ns_first_ino" and<br /> by preventing bit shifts equal to or greater than the NILFS_USER_INO<br /> constant in the inode number test macros.<br /> <br /> Also, change the type of "ns_first_ino" from signed integer to unsigned<br /> integer to avoid the need for type casting in comparisons such as the<br /> lower bound check introduced this time.