CVE-2023-52705

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix underflow in second superblock position calculations<br /> <br /> Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second<br /> superblock, underflows when the argument device size is less than 4096<br /> bytes. Therefore, when using this macro, it is necessary to check in<br /> advance that the device size is not less than a lower limit, or at least<br /> that underflow does not occur.<br /> <br /> The current nilfs2 implementation lacks this check, causing out-of-bound<br /> block access when mounting devices smaller than 4096 bytes:<br /> <br /> I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0<br /> phys_seg 1 prio class 2<br /> NILFS (loop0): unable to read secondary superblock (blocksize = 1024)<br /> <br /> In addition, when trying to resize the filesystem to a size below 4096<br /> bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number<br /> of segments to nilfs_sufile_resize(), corrupting parameters such as the<br /> number of segments in superblocks. This causes excessive loop iterations<br /> in nilfs_sufile_resize() during a subsequent resize ioctl, causing<br /> semaphore ns_segctor_sem to block for a long time and hang the writer<br /> thread:<br /> <br /> INFO: task segctord:5067 blocked for more than 143 seconds.<br /> Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0<br /> "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> task:segctord state:D stack:23456 pid:5067 ppid:2<br /> flags:0x00004000<br /> Call Trace:<br /> <br /> context_switch kernel/sched/core.c:5293 [inline]<br /> __schedule+0x1409/0x43f0 kernel/sched/core.c:6606<br /> schedule+0xc3/0x190 kernel/sched/core.c:6682<br /> rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190<br /> nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357<br /> nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]<br /> nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570<br /> kthread+0x270/0x300 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308<br /> <br /> ...<br /> Call Trace:<br /> <br /> folio_mark_accessed+0x51c/0xf00 mm/swap.c:515<br /> __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]<br /> nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61<br /> nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121<br /> nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176<br /> nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251<br /> nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]<br /> nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]<br /> nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777<br /> nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422<br /> nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]<br /> nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301<br /> ...<br /> <br /> This fixes these issues by inserting appropriate minimum device size<br /> checks or anti-underflow checks, depending on where the macro is used.