CVE-2023-53846

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to do sanity check on direct node in truncate_dnode()<br /> <br /> syzbot reports below bug:<br /> <br /> BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574<br /> Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000<br /> <br /> CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106<br /> print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351<br /> print_report mm/kasan/report.c:462 [inline]<br /> kasan_report+0x11c/0x130 mm/kasan/report.c:572<br /> f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574<br /> truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944<br /> f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154<br /> f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721<br /> f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749<br /> f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799<br /> f2fs_truncate include/linux/fs.h:825 [inline]<br /> f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006<br /> notify_change+0xb2c/0x1180 fs/attr.c:483<br /> do_truncate+0x143/0x200 fs/open.c:66<br /> handle_truncate fs/namei.c:3295 [inline]<br /> do_open fs/namei.c:3640 [inline]<br /> path_openat+0x2083/0x2750 fs/namei.c:3791<br /> do_filp_open+0x1ba/0x410 fs/namei.c:3818<br /> do_sys_openat2+0x16d/0x4c0 fs/open.c:1356<br /> do_sys_open fs/open.c:1372 [inline]<br /> __do_sys_creat fs/open.c:1448 [inline]<br /> __se_sys_creat fs/open.c:1442 [inline]<br /> __x64_sys_creat+0xcd/0x120 fs/open.c:1442<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The root cause is, inodeA references inodeB via inodeB&amp;#39;s ino, once inodeA<br /> is truncated, it calls truncate_dnode() to truncate data blocks in inodeB&amp;#39;s<br /> node page, it traverse mapping data from node-&gt;i.i_addr[0] to<br /> node-&gt;i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.<br /> <br /> This patch fixes to add sanity check on dnode page in truncate_dnode(),<br /> so that, it can help to avoid triggering such issue, and once it encounters<br /> such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE<br /> error into superblock, later fsck can detect such issue and try repairing.<br /> <br /> Also, it removes f2fs_truncate_data_blocks() for cleanup due to the<br /> function has only one caller, and uses f2fs_truncate_data_blocks_range()<br /> instead.