CVE-2023-52900

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52900
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52900.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52900
Related
Published
2024-08-21T07:15:06Z
Modified
2024-09-18T03:24:40.794947Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix general protection fault in nilfsbtreeinsert()

If nilfs2 reads a corrupted disk image and tries to reads a b-tree node block by calling _nilfsbtreegetblock() against an invalid virtual block address, it returns -ENOENT because conversion of the virtual block address to a disk block address fails. However, this return value is the same as the internal code that b-tree lookup routines return to indicate that the block being searched does not exist, so functions that operate on that b-tree may misbehave.

When nilfsbtreeinsert() receives this spurious 'not found' code from nilfsbtreedo_lookup(), it misunderstands that the 'not found' check was successful and continues the insert operation using incomplete lookup path data, causing the following crash:

general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... RIP: 0010:nilfsbtreegetnonrootnode fs/nilfs2/btree.c:418 [inline] RIP: 0010:nilfsbtreeprepareinsert fs/nilfs2/btree.c:1077 [inline] RIP: 0010:nilfsbtreeinsert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 ... Call Trace: <TASK> nilfsbmapdoinsert fs/nilfs2/bmap.c:121 [inline] nilfsbmapinsert+0x20d/0x360 fs/nilfs2/bmap.c:147 nilfsgetblock+0x414/0x8d0 fs/nilfs2/inode.c:101 _blockwritebeginint+0x54c/0x1a80 fs/buffer.c:1991 _blockwritebegin fs/buffer.c:2041 [inline] blockwritebegin+0x93/0x1e0 fs/buffer.c:2102 nilfswritebegin+0x9c/0x110 fs/nilfs2/inode.c:261 genericperformwrite+0x2e4/0x5e0 mm/filemap.c:3772 _genericfilewriteiter+0x176/0x400 mm/filemap.c:3900 genericfilewriteiter+0xab/0x310 mm/filemap.c:3932 callwriteiter include/linux/fs.h:2186 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x7dc/0xc50 fs/readwrite.c:584 ksyswrite+0x177/0x2a0 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd ... </TASK>

This patch fixes the root cause of this problem by replacing the error code that _nilfsbtreegetblock() returns on block address conversion failure from -ENOENT to another internal code -EINVAL which means that the b-tree metadata is corrupted.

By returning -EINVAL, it propagates without glitches, and for all relevant b-tree operations, functions in the upper bmap layer output an error message indicating corrupted b-tree metadata via nilfsbmapconvert_error(), and code -EIO will be eventually returned as it should be.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.178-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}