CVE-2023-52604
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/03/2024
Last modified:
12/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree<br />
<br />
Syzkaller reported the following issue:<br />
<br />
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6<br />
index 196694 is out of range for type &#39;s8[1365]&#39; (aka &#39;signed char[1365]&#39;)<br />
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106<br />
ubsan_epilogue lib/ubsan.c:217 [inline]<br />
__ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348<br />
dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867<br />
dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834<br />
dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331<br />
dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]<br />
dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402<br />
txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534<br />
txUpdateMap+0x342/0x9e0<br />
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]<br />
jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732<br />
kthread+0x2d3/0x370 kernel/kthread.c:388<br />
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br />
<br />
================================================================================<br />
Kernel panic - not syncing: UBSAN: panic_on_warn set ...<br />
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106<br />
panic+0x30f/0x770 kernel/panic.c:340<br />
check_panic_on_warn+0x82/0xa0 kernel/panic.c:236<br />
ubsan_epilogue lib/ubsan.c:223 [inline]<br />
__ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348<br />
dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867<br />
dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834<br />
dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331<br />
dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]<br />
dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402<br />
txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534<br />
txUpdateMap+0x342/0x9e0<br />
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]<br />
jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732<br />
kthread+0x2d3/0x370 kernel/kthread.c:388<br />
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br />
<br />
Kernel Offset: disabled<br />
Rebooting in 86400 seconds..<br />
<br />
The issue is caused when the value of lp becomes greater than<br />
CTLTREESIZE which is the max size of stree. Adding a simple check<br />
solves this issue.<br />
<br />
Dave:<br />
As the function returns a void, good error handling<br />
would require a more intrusive code reorganization, so I modified<br />
Osama&#39;s patch at use WARN_ON_ONCE for lack of a cleaner option.<br />
<br />
The patch is tested via syzbot.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.307 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.269 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.210 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.149 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.77 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/42f433785f108893de0dd5260bafb85d7d51db03
- https://git.kernel.org/stable/c/59342822276f753e49d27ef5eebffbba990572b9
- https://git.kernel.org/stable/c/6a44065dd604972ec1fbcccbdc4a70d266a89cdd
- https://git.kernel.org/stable/c/6fe8b702125aeee6ce83f20092a2341446704e7b
- https://git.kernel.org/stable/c/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68
- https://git.kernel.org/stable/c/98f9537fe61b8382b3cc5dd97347531698517c56
- https://git.kernel.org/stable/c/de34de6e57bbbc868e4fcf9e98c76b3587cabb0b
- https://git.kernel.org/stable/c/e3e95c6850661c77e6dab079d9b5374a618ebb15
- https://git.kernel.org/stable/c/42f433785f108893de0dd5260bafb85d7d51db03
- https://git.kernel.org/stable/c/59342822276f753e49d27ef5eebffbba990572b9
- https://git.kernel.org/stable/c/6a44065dd604972ec1fbcccbdc4a70d266a89cdd
- https://git.kernel.org/stable/c/6fe8b702125aeee6ce83f20092a2341446704e7b
- https://git.kernel.org/stable/c/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68
- https://git.kernel.org/stable/c/98f9537fe61b8382b3cc5dd97347531698517c56
- https://git.kernel.org/stable/c/de34de6e57bbbc868e4fcf9e98c76b3587cabb0b
- https://git.kernel.org/stable/c/e3e95c6850661c77e6dab079d9b5374a618ebb15
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html