CVE-2024-46701
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-46701
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46701.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-46701
- Downstream
- Published
- 2024-09-13T06:27:29.911Z
- Modified
- 2025-11-20T05:36:25.244367Z
- Summary
- libfs: fix infinite directory reads for offset dir
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
libfs: fix infinite directory reads for offset dir
After we switch tmpfs dir operations from simplediroperations to simpleoffsetdiroperations, every rename happened will fill new dentry to dest dir's maple tree(&SHMEMI(inode)->diroffsets->mt) with a free key starting with octx->newxoffset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail generic/736 in xfstests(detail show as below).
- create 5000 files(1 2 3...) under one dir
- call readdir(man 3 readdir) once, and get one entry
- rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry)
- loop 2~3, until readdir return nothing or we loop too many times(tmpfs break test with the second condition)
We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite directory reads") to fix it, record the lastindex when we open dir, and do not emit the entry which index >= lastindex. The file->privatedata now used in offset dir can use directly to do this, and we also update the lastindex when we llseek the dir file.
[brauner: only update last_index after seek when offset is zero like Jan suggested]
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda2e459555c5f9da3e619b7e47a63f98574dc75f1Fixed308b4fc2403b335894592ee9dc212a5e58bb309f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda2e459555c5f9da3e619b7e47a63f98574dc75f1Fixed64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.11-rc1
v6.5
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 372.0,
"function_hash": "242596715490314908604564638890667445987"
},
"id": "CVE-2024-46701-34657705",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@308b4fc2403b335894592ee9dc212a5e58bb309f",
"target": {
"file": "fs/libfs.c",
"function": "offset_iterate_dir"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 310.0,
"function_hash": "191802620088864463482605909844978431646"
},
"id": "CVE-2024-46701-937e198a",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@308b4fc2403b335894592ee9dc212a5e58bb309f",
"target": {
"file": "fs/libfs.c",
"function": "offset_dir_llseek"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"321621577513542708779786224859973912055",
"110047947186555791912236732243796848208",
"339329478261695145517523014118573905369",
"301512356430289250630899179534837148859",
"194024394260464328159058798346685220830",
"244988440665121827899893628091104806104",
"21495384636946283342860379646624339143",
"45673469093631165797987904248949498441",
"210312329215017204844787246100198079891",
"243565110881848399213559951403525578841",
"226898561746821268634815791616536947039",
"235999324631343651871191832864650932301",
"107917940636195771931917285568317975157",
"75334260728963634352870526305610984869",
"150062201739836998907413803117516566897",
"185761113294319181774553449280914516377",
"298541009413516340158659554152628217662",
"123863140711643372225041819900384005764",
"284508613455116930468662633856006176449",
"106349159811604210889606640889067080917",
"229184097166437868495796380419691634125",
"337788407748724993036444396239896506132",
"69805653863633760796333808894804786164",
"144076478752770212016966699954303709833",
"212115480313244381293556504409978946056",
"301664938814967388251479942004626085597",
"272463049612096312551104190332615169631",
"155106566705198069413741391036853175653",
"19776876619767040821782836657002725502",
"317029123974741709931965566677317068943",
"207389021295005371856008401861728368040",
"56071564431018782439280002065256070638",
"139687943532345451819160343671679499632",
"313579879531540893345704782500630958517",
"45557060831652138755899483330055842980",
"83320647694485770714045793621445615066",
"290197802484012495584549596974025940521",
"233614542248827086095352763616421822105",
"329123945563725798395181017328009510006",
"62911298749231403160025936094652623121"
]
},
"id": "CVE-2024-46701-ace84fc9",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@308b4fc2403b335894592ee9dc212a5e58bb309f",
"target": {
"file": "fs/libfs.c"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 406.0,
"function_hash": "264327046781569687338948710865877501349"
},
"id": "CVE-2024-46701-ee969011",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@308b4fc2403b335894592ee9dc212a5e58bb309f",
"target": {
"file": "fs/libfs.c",
"function": "offset_readdir"
}
}
]