CVE-2024-56619

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()<br /> <br /> Syzbot reported that when searching for records in a directory where the<br /> inode&amp;#39;s i_size is corrupted and has a large value, memory access outside<br /> the folio/page range may occur, or a use-after-free bug may be detected if<br /> KASAN is enabled.<br /> <br /> This is because nilfs_last_byte(), which is called by nilfs_find_entry()<br /> and others to calculate the number of valid bytes of directory data in a<br /> page from i_size and the page index, loses the upper 32 bits of the 64-bit<br /> size information due to an inappropriate type of local variable to which<br /> the i_size value is assigned.<br /> <br /> This caused a large byte offset value due to underflow in the end address<br /> calculation in the calling nilfs_find_entry(), resulting in memory access<br /> that exceeds the folio/page size.<br /> <br /> Fix this issue by changing the type of the local variable causing the bit<br /> loss from "unsigned int" to "u64". The return value of nilfs_last_byte()<br /> is also of type "unsigned int", but it is truncated so as not to exceed<br /> PAGE_SIZE and no bit loss occurs, so no change is required.