CVE-2024-42311
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
17/08/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()<br />
<br />
Syzbot reports uninitialized value access issue as below:<br />
<br />
loop0: detected capacity change from 0 to 64<br />
=====================================================<br />
BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30<br />
hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30<br />
d_revalidate fs/namei.c:862 [inline]<br />
lookup_fast+0x89e/0x8e0 fs/namei.c:1649<br />
walk_component fs/namei.c:2001 [inline]<br />
link_path_walk+0x817/0x1480 fs/namei.c:2332<br />
path_lookupat+0xd9/0x6f0 fs/namei.c:2485<br />
filename_lookup+0x22e/0x740 fs/namei.c:2515<br />
user_path_at_empty+0x8b/0x390 fs/namei.c:2924<br />
user_path_at include/linux/namei.h:57 [inline]<br />
do_mount fs/namespace.c:3689 [inline]<br />
__do_sys_mount fs/namespace.c:3898 [inline]<br />
__se_sys_mount+0x66b/0x810 fs/namespace.c:3875<br />
__x64_sys_mount+0xe4/0x140 fs/namespace.c:3875<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b<br />
<br />
BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]<br />
BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366<br />
hfs_ext_read_extent fs/hfs/extent.c:196 [inline]<br />
hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366<br />
block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271<br />
hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39<br />
filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426<br />
do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553<br />
do_read_cache_page mm/filemap.c:3595 [inline]<br />
read_cache_page+0xfb/0x2f0 mm/filemap.c:3604<br />
read_mapping_page include/linux/pagemap.h:755 [inline]<br />
hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78<br />
hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204<br />
hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406<br />
mount_bdev+0x628/0x920 fs/super.c:1359<br />
hfs_mount+0xcd/0xe0 fs/hfs/super.c:456<br />
legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610<br />
vfs_get_tree+0xdc/0x5d0 fs/super.c:1489<br />
do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145<br />
path_mount+0xf98/0x26a0 fs/namespace.c:3475<br />
do_mount fs/namespace.c:3488 [inline]<br />
__do_sys_mount fs/namespace.c:3697 [inline]<br />
__se_sys_mount+0x919/0x9e0 fs/namespace.c:3674<br />
__ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674<br />
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]<br />
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178<br />
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203<br />
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246<br />
entry_SYSENTER_compat_after_hwframe+0x70/0x82<br />
<br />
Uninit was created at:<br />
__alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590<br />
__alloc_pages_node include/linux/gfp.h:238 [inline]<br />
alloc_pages_node include/linux/gfp.h:261 [inline]<br />
alloc_slab_page mm/slub.c:2190 [inline]<br />
allocate_slab mm/slub.c:2354 [inline]<br />
new_slab+0x2d7/0x1400 mm/slub.c:2407<br />
___slab_alloc+0x16b5/0x3970 mm/slub.c:3540<br />
__slab_alloc mm/slub.c:3625 [inline]<br />
__slab_alloc_node mm/slub.c:3678 [inline]<br />
slab_alloc_node mm/slub.c:3850 [inline]<br />
kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879<br />
alloc_inode_sb include/linux/fs.h:3018 [inline]<br />
hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165<br />
alloc_inode+0x83/0x440 fs/inode.c:260<br />
new_inode_pseudo fs/inode.c:1005 [inline]<br />
new_inode+0x38/0x4f0 fs/inode.c:1031<br />
hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186<br />
hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228<br />
vfs_mkdir+0x49a/0x700 fs/namei.c:4126<br />
do_mkdirat+0x529/0x810 fs/namei.c:4149<br />
__do_sys_mkdirat fs/namei.c:4164 [inline]<br />
__se_sys_mkdirat fs/namei.c:4162 [inline]<br />
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b<br />
<br />
It missed to initialize .tz_secondswest, .cached_start and .cached_blocks<br />
fields in struct hfs_inode_info after hfs_alloc_inode(), fix it.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.320 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.282 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.224 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.165 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.103 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.44 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/10f7163bfb5f8b4e0c9c05a939f20b8540e33c65
- https://git.kernel.org/stable/c/26a2ed107929a855155429b11e1293b83e6b2a8b
- https://git.kernel.org/stable/c/4a52861cd76e79f1a593beb23d096523eb9732c2
- https://git.kernel.org/stable/c/58d83fc160505a7009c39dec64effaac5129b971
- https://git.kernel.org/stable/c/9c4e40b9b731220f9464975e49da75496e3865c4
- https://git.kernel.org/stable/c/d3493d6f0dfb1ab5225b62faa77732983f2187a1
- https://git.kernel.org/stable/c/d55aae5c1730d6b70d5d8eaff00113cd34772ea3
- https://git.kernel.org/stable/c/f7316b2b2f11cf0c6de917beee8d3de728be24db
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html