CVE-2024-44939

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: fix null ptr deref in dtInsertEntry<br /> <br /> [syzbot reported]<br /> general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]<br /> CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024<br /> RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713<br /> ...<br /> [Analyze]<br /> In dtInsertEntry(), when the pointer h has the same value as p, after writing<br /> name in UniStrncpy_to_le(), p-&gt;header.flag will be cleared. This will cause the<br /> previously true judgment "p-&gt;header.flag &amp; BT-LEAF" to change to no after writing<br /> the name operation, this leads to entering an incorrect branch and accessing the<br /> uninitialized object ih when judging this condition for the second time.<br /> <br /> [Fix]<br /> After got the page, check freelist first, if freelist == 0 then exit dtInsert()<br /> and return -EINVAL.