CVE-2024-47699

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()<br /> <br /> Patch series "nilfs2: fix potential issues with empty b-tree nodes".<br /> <br /> This series addresses three potential issues with empty b-tree nodes that<br /> can occur with corrupted filesystem images, including one recently<br /> discovered by syzbot.<br /> <br /> <br /> This patch (of 3):<br /> <br /> If a b-tree is broken on the device, and the b-tree height is greater than<br /> 2 (the level of the root node is greater than 1) even if the number of<br /> child nodes of the b-tree root is 0, a NULL pointer dereference occurs in<br /> nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().<br /> <br /> This is because, when the number of child nodes of the b-tree root is 0,<br /> nilfs_btree_do_lookup() does not set the block buffer head in any of<br /> path[x].bp_bh, leaving it as the initial value of NULL, but if the level<br /> of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),<br /> which accesses the buffer memory of path[x].bp_bh, is called.<br /> <br /> Fix this issue by adding a check to nilfs_btree_root_broken(), which<br /> performs sanity checks when reading the root node from the device, to<br /> detect this inconsistency.<br /> <br /> Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause<br /> early on.