CVE-2024-46701

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46701
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46701.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46701
Downstream
Published
2024-09-13T07:15:05Z
Modified
2024-09-19T13:40:27Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

libfs: fix infinite directory reads for offset dir

After we switch tmpfs dir operations from simplediroperations to simpleoffsetdiroperations, every rename happened will fill new dentry to dest dir's maple tree(&SHMEMI(inode)->diroffsets->mt) with a free key starting with octx->newxoffset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail generic/736 in xfstests(detail show as below).

  1. create 5000 files(1 2 3...) under one dir
  2. call readdir(man 3 readdir) once, and get one entry
  3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry)
  4. loop 2~3, until readdir return nothing or we loop too many times(tmpfs break test with the second condition)

We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite directory reads") to fix it, record the lastindex when we open dir, and do not emit the entry which index >= lastindex. The file->privatedata now used in offset dir can use directly to do this, and we also update the lastindex when we llseek the dir file.

[brauner: only update last_index after seek when offset is zero like Jan suggested]

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.10.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}