CVE-2024-26868

BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:fflayoutcancelio+0x3a/0x90 [nfslayoutflexfiles] Call Trace: <TASK> ? _die+0x78/0xc0 ? pagefaultoops+0x286/0x380 ? _rpcexecute+0x2c3/0x470 [sunrpc] ? rpcnewtask+0x42/0x1c0 [sunrpc] ? excpagefault+0x5d/0x110 ? asmexcpagefault+0x22/0x30 ? fflayoutfreelayoutreturn+0x110/0x110 [nfslayoutflexfiles] ? fflayoutcancelio+0x3a/0x90 [nfslayoutflexfiles] ? fflayoutcancelio+0x6f/0x90 [nfslayoutflexfiles] pnfsmarkmatchinglsegsreturn+0x1b0/0x360 [nfsv4] pnfserrormarklayoutforreturn+0x9e/0x110 [nfsv4] ? fflayoutsendlayouterror+0x50/0x160 [nfslayoutflexfiles] nfs4fflayoutprepareds+0x11f/0x290 [nfslayoutflexfiles] fflayoutpginitwrite+0xf0/0x1f0 [nfslayoutflexfiles] _nfspageioaddrequest+0x154/0x6c0 [nfs] nfspageioaddrequest+0x26b/0x380 [nfs] nfsdowritepage+0x111/0x1e0 [nfs] nfswritepagescallback+0xf/0x30 [nfs] writecachepages+0x17f/0x380 ? nfspageioinitwrite+0x50/0x50 [nfs] ? nfswritepages+0x6d/0x210 [nfs] ? nfswritepages+0x6d/0x210 [nfs] nfswritepages+0x125/0x210 [nfs] dowritepages+0x67/0x220 ? genericperformwrite+0x14b/0x210 filemapfdatawritewbc+0x5b/0x80 filewriteandwaitrange+0x6d/0xc0 nfsfilefsync+0x81/0x170 [nfs] ? nfsfilemmap+0x60/0x60 [nfs] _x64sysfsync+0x53/0x90 dosyscall64+0x3d/0x90 entrySYSCALL64after_hwframe+0x46/0xb0

Inspecting the core with drgn I was able to pull this

prog.crashedthread().stacktrace()[0] #0 at 0xffffffffa079657a (fflayoutcancelio+0x3a/0x84) in fflayoutcancelio at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 prog.crashedthread().stacktrace()[0]['idx'] (u32)1 prog.crashedthread().stacktrace()[0]['flseg'].mirrorarray[1].mirrords (struct nfs4fflayout_ds *)0xffffffffffffffed

This is clear from the stack trace, we call nfs4fflayoutprepareds() which could error out initializing the mirrords, and then we go to clean it all up and our check is only for if (!mirror->mirrords). This is inconsistent with the rest of the users of mirror_ds, which have

if (ISERRORNULL(mirrords))

to keep from tripping over this exact scenario. Fix this up in fflayoutcancelio() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirrords and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b739a5bd9d9f18cc69dced8db128ef7206e000cd

Fixed

31db25e3141b20e2a76a9f219eeca52e3cab126c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b739a5bd9d9f18cc69dced8db128ef7206e000cd

Fixed

7ca651b4ec4a049f5a46a0e5ff921b86b91c47c5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b739a5bd9d9f18cc69dced8db128ef7206e000cd

Fixed

5ada9016b1217498fad876a3d5b07645cc955608

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b739a5bd9d9f18cc69dced8db128ef7206e000cd

Fixed

dac068f164ad05b35e7c0be13f138c3f6adca58f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b739a5bd9d9f18cc69dced8db128ef7206e000cd

Fixed

719fcafe07c12646691bd62d7f8d94d657fa0766

Affected versions

v6.*

v6.0

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.10

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.83

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.23

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.11

Type: ECOSYSTEM
Events: Introduced

6.8.0

Fixed

6.8.2