CVE-2023-52705

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix underflow in second superblock position calculations

Macro NILFSSB2OFFSET_BYTES, which computes the position of the second superblock, underflows when the argument device size is less than 4096 bytes. Therefore, when using this macro, it is necessary to check in advance that the device size is not less than a lower limit, or at least that underflow does not occur.

The current nilfs2 implementation lacks this check, causing out-of-bound block access when mounting devices smaller than 4096 bytes:

I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 NILFS (loop0): unable to read secondary superblock (blocksize = 1024)

In addition, when trying to resize the filesystem to a size below 4096 bytes, this underflow occurs in nilfsresizefs(), passing a huge number of segments to nilfssufileresize(), corrupting parameters such as the number of segments in superblocks. This causes excessive loop iterations in nilfssufileresize() during a subsequent resize ioctl, causing semaphore nssegctorsem to block for a long time and hang the writer thread:

INFO: task segctord:5067 blocked for more than 143 seconds. Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. task:segctord state:D stack:23456 pid:5067 ppid:2 flags:0x00004000 Call Trace: <TASK> contextswitch kernel/sched/core.c:5293 [inline] __schedule+0x1409/0x43f0 kernel/sched/core.c:6606 schedule+0xc3/0x190 kernel/sched/core.c:6682 rwsemdownwrite_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190 nilfstransactionlock+0x25c/0x4f0 fs/nilfs2/segment.c:357 nilfssegctorthreadconstruct fs/nilfs2/segment.c:2486 [inline] nilfssegctorthread+0x52f/0x1140 fs/nilfs2/segment.c:2570 kthread+0x270/0x300 kernel/kthread.c:376 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:308 </TASK> ... Call Trace: <TASK> foliomarkaccessed+0x51c/0xf00 mm/swap.c:515 _nilfsgetpageblock fs/nilfs2/page.c:42 [inline] nilfsgrabbuffer+0x3d3/0x540 fs/nilfs2/page.c:61 nilfsmdtsubmitblock+0xd7/0x8f0 fs/nilfs2/mdt.c:121 nilfsmdtreadblock+0xeb/0x430 fs/nilfs2/mdt.c:176 nilfsmdtgetblock+0x12d/0xbb0 fs/nilfs2/mdt.c:251 nilfssufilegetsegmentusageblock fs/nilfs2/sufile.c:92 [inline] nilfssufiletruncaterange fs/nilfs2/sufile.c:679 [inline] nilfssufileresize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777 nilfsresizefs+0x20c/0xed0 fs/nilfs2/super.c:422 nilfsioctlresize fs/nilfs2/ioctl.c:1033 [inline] nilfsioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301 ...

This fixes these issues by inserting appropriate minimum device size checks or anti-underflow checks, depending on where the macro is used.