Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp678785lqb; Wed, 17 Apr 2024 07:55:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUVY9SftbsFCxHNJEzida4ngvSHOIPOkeDxJePWBHWmjj7Fcfos4dQ9LpPdbxBWHzh14fcCm39AP5jK1QUa+i5j4Pc7M+Nr6/RVFlF0vQ== X-Google-Smtp-Source: AGHT+IFNpEAonDfdKXhlMVSWPpVKkjJQcs73ZvMI52OBYA182Of7jKk+/Quzcu7FkOCvmzVmLR4K X-Received: by 2002:a19:4357:0:b0:519:5ed4:c901 with SMTP id m23-20020a194357000000b005195ed4c901mr303233lfj.48.1713365710665; Wed, 17 Apr 2024 07:55:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713365710; cv=pass; d=google.com; s=arc-20160816; b=x4crMcZAkkrrsvrKICKb9HDP4A3DP/tcG9edK+Rn4EihShbhM69ie6Q9hy52mVTtyj hABX8LGZUH443IDHdu0zRshelWRT5mjQQNRQcTI35dHxZgFaOyEMgCrEttCMI2wHUGE9 bwCzBbxjjg8GyVhECRelh9QPRJYrafO3SjKpZL7x47M9Ep5qNRJsdU/0A1h44Ag4c1kz /Dypo6nQ/8Ap+kMyL5HPN+/0WiRa+zQwXt5W6R83DfAPJtFZzkuCanrqPsyoM/5CGieC L/IlAXG/ezPzT2plybZpe/ohhBs1eqfgLmvHlHTXl286kK1UuUl5XEVxOUXXOm7eagX8 ckkA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature:dkim-signature :dkim-signature; bh=vgoG+0xCL/8Y6q4Ug28gi7RT5OUpQ9e3zhnkL2fsCAI=; fh=Vd9vKp6bmbvqRVEUY/8MpiWYvj1QyiZRN1bvlL7FkOk=; b=ZMVTndfEsxT4IDTpiAmRpCLeGZGmCSf3tepwZvEnEOE6QVCRC0YQcDokZDAx1krmWw 4CMSC53UrcB4dC+WfN0K3BaCSOF5q5tkvGCbEQ7afXXbQcyyGAnga/LQYD8+dp8iV84i EhO3jCvs+hIf5JPUW1uurfIcEgk8UA1wj8AArLsLWFneHL6t7jhYUKL7E2XpbZo2z7h9 8+9/1VPmvCl+ZeKW/m8KUVp2jQX/rE/ngZ73ZEQpLroTVtiK2Nwf3LSNa44H9Xf9ftnd UersbFIO6QqlZwM56S22CAfmIl0U/K3s2+tmi5nxkCeB9blCU+dozfu83mrJ368l1aDe VZSw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=WIPv4Bys; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=WIPv4Bys; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.cz dkim=pass dkdomain=suse.cz dkim=pass dkdomain=suse.cz); spf=pass (google.com: domain of linux-kernel+bounces-148739-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-148739-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id j6-20020a05640211c600b0056e4148b825si6828962edw.371.2024.04.17.07.55.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 07:55:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-148739-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=WIPv4Bys; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=WIPv4Bys; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.cz dkim=pass dkdomain=suse.cz dkim=pass dkdomain=suse.cz); spf=pass (google.com: domain of linux-kernel+bounces-148739-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-148739-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 399091F223EC for ; Wed, 17 Apr 2024 14:55:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CA83A1422D8; Wed, 17 Apr 2024 14:54:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="WIPv4Bys"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="Lmq+Imed"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="WIPv4Bys"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="Lmq+Imed" Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29D5B38DD3; Wed, 17 Apr 2024 14:54:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713365696; cv=none; b=taalmFUiWrs3uCvCwvBbvnTL6IXvgFV7EOWhTwkwOe8mJ8Z4RcpzLy5Narn3Lu+JSAqP9DhDuk8NiL2BrBIYQGmpjnPq/P1imMixW0VLQdo7fjzL+l2W5q6EBM+9XjKH+m5DmFucjpEZ5uvZK0N+ic2rbwxzqLXw1543Ga1HXIk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713365696; c=relaxed/simple; bh=j/kkXCLbaet7tQenZZV3BauQw9//W4LV4+M6WNx0+QE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Rcz8eMkPyDY0nlPvZljw21PeK18oBObtSA/7wERSkJ1etFZdO4reUyQycqT01WLpPbxMka12+EcAMioamOcQuy7oTw5PsORZTYwPm+hhf1fnFxnPcXpxvjOjBdQ8WXUuk6g3JSvmbdK1VCMVIWQchFAUxc01URI7PKi08tfvjQA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=WIPv4Bys; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=Lmq+Imed; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=WIPv4Bys; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=Lmq+Imed; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id F39C820AB1; Wed, 17 Apr 2024 14:54:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1713365687; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=vgoG+0xCL/8Y6q4Ug28gi7RT5OUpQ9e3zhnkL2fsCAI=; b=WIPv4Byskan7NgsSrXhdP/jtNGrXCWeJ7c/v1HcDwsHpjWUJuJ9glc5yF6iPgB7Oz3tz4D fB1UVS7yTNKabxvzvhclLZARUIXTuLmPmO55Yyq7uco4x3jGpJfgqG1d7OQxmPcUYwqfOo DAqbYLSHJj1U2YYaKXmygv2D8UitTGs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1713365687; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=vgoG+0xCL/8Y6q4Ug28gi7RT5OUpQ9e3zhnkL2fsCAI=; b=Lmq+ImedM/LooXtq0zteHXx7bs80Dis4dglHoOHZJ44bjwsuazpH06T84eOK/VD5QxWaUs i3F3e/IrtihUfoCQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1713365687; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=vgoG+0xCL/8Y6q4Ug28gi7RT5OUpQ9e3zhnkL2fsCAI=; b=WIPv4Byskan7NgsSrXhdP/jtNGrXCWeJ7c/v1HcDwsHpjWUJuJ9glc5yF6iPgB7Oz3tz4D fB1UVS7yTNKabxvzvhclLZARUIXTuLmPmO55Yyq7uco4x3jGpJfgqG1d7OQxmPcUYwqfOo DAqbYLSHJj1U2YYaKXmygv2D8UitTGs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1713365687; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=vgoG+0xCL/8Y6q4Ug28gi7RT5OUpQ9e3zhnkL2fsCAI=; b=Lmq+ImedM/LooXtq0zteHXx7bs80Dis4dglHoOHZJ44bjwsuazpH06T84eOK/VD5QxWaUs i3F3e/IrtihUfoCQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id E9C811384C; Wed, 17 Apr 2024 14:54:46 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id VIsOObbiH2afVgAAD6G6ig (envelope-from ); Wed, 17 Apr 2024 14:54:46 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 9C030A082E; Wed, 17 Apr 2024 16:54:46 +0200 (CEST) Date: Wed, 17 Apr 2024 16:54:46 +0200 From: Jan Kara To: Greg Kroah-Hartman Cc: Jan Kara , cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org Subject: Re: CVE-2024-26774: ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt Message-ID: <20240417145446.uh2rqcbxlebnkbfm@quack3> References: <2024040308-CVE-2024-26774-52d9@gregkh> <20240417114324.c77wuw5hvjbm6ok5@quack3> <2024041711-chapter-uninstall-b1d3@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2024041711-chapter-uninstall-b1d3@gregkh> X-Spam-Level: X-Spamd-Result: default: False [-3.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.978]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; MISSING_XM_UA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FROM_HAS_DN(0.00)[]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_TLS_LAST(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Score: -3.80 X-Spam-Flag: NO On Wed 17-04-24 15:30:03, Greg Kroah-Hartman wrote: > On Wed, Apr 17, 2024 at 01:43:24PM +0200, Jan Kara wrote: > > Hello! > > > > On Wed 03-04-24 19:31:41, Greg Kroah-Hartman wrote: > > > Description > > > =========== > > > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > > > ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt > > > > > > Determine if bb_fragments is 0 instead of determining bb_free to eliminate > > > the risk of dividing by zero when the block bitmap is corrupted. > > > > > > The Linux kernel CVE team has assigned CVE-2024-26774 to this issue. > > > > I'd like to understand what is the imagined security threat fixed by this > > patch (as multiple patches of similar nature got assigned a CVE). The patch > > fixes a bug that if a corrupted filesystem is read-write mounted, we can do > > division-by-zero. Now if you can make the system mount a corrupted > > filesystem, you can do many interesting things to the system other than > > create a division by zero... So what is the presumed threat model here? > > Exactly what you said, "if you mount a corrupted file system, you will > get a divide by zero fault." > > Many systems auto-mount any filesystem plugged into it. If yours do > not, then yours does not need to worry about this type of CVE. OK, understood. But let me state that with the current state of affairs in the filesystem land, it will not take a determined attacker long to get arbitrary code execution out of "maliciously corrupted fs mounted". The code of most filesystems has simply never been written with the assumption that it can be presented with malicious data and we have hundreds of thousands lines of code like that. We have fixed the most glaring problems but by far not all (partly because of performance and maintenance costs, partly because they are baked into on-disk formats). So if we should honestly state the situation (and filesystem folks are trying to get this message across for a few years already), we should issue a CVE for "mounting untrusted fs image can crash your kernel or install rootkit to your system". And yes, I know most distros will happily mount whatever is plugged into the USB port because that is what users expect and it is convenient. So if anybody wants a practical solution to this security problem, I'd suggest working on FUSE drivers for filesystems you care about and make distros use that when mounting removable media... That is actually pretty secure and robust solution if you don't care about performance *that* much. Honza -- Jan Kara SUSE Labs, CR