In the Linux kernel, the following vulnerability has been resolved:
gfs2: Check sbbsizeshift after reading superblock
Fuzzers like to scribble over sbbsizeshift but in reality it's very unlikely that this field would be corrupted on its own. Nevertheless it should be checked to avoid the possibility of messy mount errors due to bad calculations. It's always a fixed value based on the block size so we can just check that it's the expected value.
Tested with:
mkfs.gfs2 -O -p lock_nolock /dev/vdb
for i in 0 -1 64 65 32 33; do
gfs2_edit -p sb field sb_bsize_shift $i /dev/vdb
mount /dev/vdb /mnt/test && umount /mnt/test
done
Before this patch we get a withdraw after
[ 76.413681] gfs2: fsid=loop0.0: fatal: invalid metadata block [ 76.413681] bh = 19 (type: exp=5, found=4) [ 76.413681] function = gfs2metabuffer, file = fs/gfs2/meta_io.c, line = 492
and with UBSAN configured we also get complaints like
[ 76.373395] UBSAN: shift-out-of-bounds in fs/gfs2/ops_fstype.c:295:19 [ 76.373815] shift exponent 4294967287 is too large for 64-bit type 'long unsigned int'
After the patch, these complaints don't appear, mount fails immediately and we get an explanation in dmesg.
{ "vanir_signatures": [ { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 613.0, "function_hash": "332428305801165204428495630792945319635" }, "id": "CVE-2022-49769-02cf17c8", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6b1e8ea6f3418c3b461ad5a35cdc93c996b2c87" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "5639217285074308502550866747668428488", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-0749230d", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6b1e8ea6f3418c3b461ad5a35cdc93c996b2c87" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "217904109125027586107916182579441070262", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-2c3ebf2c", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@670f8ce56dd0632dc29a0322e188cc73ce3c6b92" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 655.0, "function_hash": "251922694027097022813039873618886454204" }, "id": "CVE-2022-49769-4ab4a78c", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@28275a7c84d21c55ab3282d897f284d8d527173c" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "5639217285074308502550866747668428488", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-4b382245", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@15c83fa0fd659dd9fbdc940a560b61236e876a80" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "217904109125027586107916182579441070262", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-54c36a33", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16670534c7cff1acd918a6a5ec751b14e7436b76" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 613.0, "function_hash": "332428305801165204428495630792945319635" }, "id": "CVE-2022-49769-94dba45b", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b6534c9ae9dba5489703a19d8ba6c8f2cfa33c2" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 613.0, "function_hash": "332428305801165204428495630792945319635" }, "id": "CVE-2022-49769-9a415198", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@15c83fa0fd659dd9fbdc940a560b61236e876a80" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "5639217285074308502550866747668428488", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-9ca222ef", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1ad197097343568066a8ffaa27ee7d0ae6d9f476" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 613.0, "function_hash": "332428305801165204428495630792945319635" }, "id": "CVE-2022-49769-a858335e", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5fa30be7ba81191b0a0c7239a89befc0c94286d5" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "217904109125027586107916182579441070262", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-ad44c00f", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@28275a7c84d21c55ab3282d897f284d8d527173c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 613.0, "function_hash": "332428305801165204428495630792945319635" }, "id": "CVE-2022-49769-b3eb19ba", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1ad197097343568066a8ffaa27ee7d0ae6d9f476" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "5639217285074308502550866747668428488", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-bc924fac", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5fa30be7ba81191b0a0c7239a89befc0c94286d5" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "fs/gfs2/ops_fstype.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "5639217285074308502550866747668428488", "298176824356441214070682504711865561728", "310898500712153136360635829460006620717" ], "threshold": 0.9 }, "id": "CVE-2022-49769-ce9776f3", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b6534c9ae9dba5489703a19d8ba6c8f2cfa33c2" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 655.0, "function_hash": "251922694027097022813039873618886454204" }, "id": "CVE-2022-49769-f265316c", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16670534c7cff1acd918a6a5ec751b14e7436b76" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "fs/gfs2/ops_fstype.c", "function": "gfs2_check_sb" }, "signature_version": "v1", "digest": { "length": 655.0, "function_hash": "251922694027097022813039873618886454204" }, "id": "CVE-2022-49769-feee173f", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@670f8ce56dd0632dc29a0322e188cc73ce3c6b92" } ] }