In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix missing cleanup on rollforward recovery error
In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug.
It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the nsdirtyfiles list of the nilfs object and were not freed.
Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.
{ "vanir_signatures": [ { "signature_version": "v1", "signature_type": "Function", "target": { "file": "fs/nilfs2/recovery.c", "function": "nilfs_salvage_orphan_logs" }, "id": "CVE-2024-46781-04de822c", "digest": { "length": 978.0, "function_hash": "219686648461158301430982863463526395939" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@07e4dc2fe000ab008bcfe90be4324ef56b5b4355" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "fs/nilfs2/recovery.c", "function": "nilfs_salvage_orphan_logs" }, "id": "CVE-2024-46781-05b90875", "digest": { "length": 978.0, "function_hash": "219686648461158301430982863463526395939" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9d8c3a585d564d776ee60d4aabec59b404be7403" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "fs/nilfs2/recovery.c" }, "id": "CVE-2024-46781-14bf56fb", "digest": { "line_hashes": [ "198127307475075103178961400956600277863", "313623997121039300355071574606249421317", "244798746062192461418755276794319602243", "110737214694843067310144548386911368577", "218836068945829534001207116735241756737", "96231246908872758743043238981567743479", "325494659321104184618801482720768458806", "44268187319905913456803042393270562307", "164330016273191300892834572430196472653", "63112231544630469514055143151991819800", "35926710644022670798667079152331331901", "180037943282858794760804433750966770918", "24949159947307994635263672117846803290" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8e2d1e9d93c4ec51354229361ac3373058529ec4" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "fs/nilfs2/recovery.c" }, "id": "CVE-2024-46781-37af7404", "digest": { "line_hashes": [ "198127307475075103178961400956600277863", "313623997121039300355071574606249421317", "244798746062192461418755276794319602243", "110737214694843067310144548386911368577", "218836068945829534001207116735241756737", "96231246908872758743043238981567743479", "325494659321104184618801482720768458806", "44268187319905913456803042393270562307", "164330016273191300892834572430196472653", "63112231544630469514055143151991819800", "35926710644022670798667079152331331901", "180037943282858794760804433750966770918", "24949159947307994635263672117846803290" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5787fcaab9eb5930f5378d6a1dd03d916d146622" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "fs/nilfs2/recovery.c" }, "id": "CVE-2024-46781-5570788a", "digest": { "line_hashes": [ "198127307475075103178961400956600277863", "313623997121039300355071574606249421317", "244798746062192461418755276794319602243", "110737214694843067310144548386911368577", "218836068945829534001207116735241756737", "96231246908872758743043238981567743479", "325494659321104184618801482720768458806", "44268187319905913456803042393270562307", "164330016273191300892834572430196472653", "63112231544630469514055143151991819800", "35926710644022670798667079152331331901", "180037943282858794760804433750966770918", "24949159947307994635263672117846803290" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@07e4dc2fe000ab008bcfe90be4324ef56b5b4355" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "fs/nilfs2/recovery.c" }, "id": "CVE-2024-46781-5850e0ef", "digest": { "line_hashes": [ "198127307475075103178961400956600277863", "313623997121039300355071574606249421317", "244798746062192461418755276794319602243", "110737214694843067310144548386911368577", "218836068945829534001207116735241756737", "96231246908872758743043238981567743479", "325494659321104184618801482720768458806", "44268187319905913456803042393270562307", "164330016273191300892834572430196472653", "63112231544630469514055143151991819800", "35926710644022670798667079152331331901", "180037943282858794760804433750966770918", "24949159947307994635263672117846803290" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9d8c3a585d564d776ee60d4aabec59b404be7403" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "fs/nilfs2/recovery.c", "function": "nilfs_salvage_orphan_logs" }, "id": "CVE-2024-46781-6ab1216a", "digest": { "length": 978.0, "function_hash": "219686648461158301430982863463526395939" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5787fcaab9eb5930f5378d6a1dd03d916d146622" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "fs/nilfs2/recovery.c", "function": "nilfs_salvage_orphan_logs" }, "id": "CVE-2024-46781-6b7ea7a3", "digest": { "length": 978.0, "function_hash": "219686648461158301430982863463526395939" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8e2d1e9d93c4ec51354229361ac3373058529ec4" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "fs/nilfs2/recovery.c", "function": "nilfs_salvage_orphan_logs" }, "id": "CVE-2024-46781-ae522523", "digest": { "length": 978.0, "function_hash": "219686648461158301430982863463526395939" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da02f9eb333333b2e4f25d2a14967cff785ac82e" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "fs/nilfs2/recovery.c" }, "id": "CVE-2024-46781-c5be38fd", "digest": { "line_hashes": [ "198127307475075103178961400956600277863", "313623997121039300355071574606249421317", "244798746062192461418755276794319602243", "110737214694843067310144548386911368577", "218836068945829534001207116735241756737", "96231246908872758743043238981567743479", "325494659321104184618801482720768458806", "44268187319905913456803042393270562307", "164330016273191300892834572430196472653", "63112231544630469514055143151991819800", "35926710644022670798667079152331331901", "180037943282858794760804433750966770918", "24949159947307994635263672117846803290" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da02f9eb333333b2e4f25d2a14967cff785ac82e" } ] }