Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp71929lqs; Thu, 13 Jun 2024 04:21:27 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX65zfVAl2jYbUqJ5sYBnydcXl/7OZwNlvwXTtMTNmON9E5WT0TuQiaLbsGzof6M3uCiPfvtK+sH9BLgPZTW7yyt+dj8Butk2If0G0plg== X-Google-Smtp-Source: AGHT+IGnyFrFayVmoxqCo5Er6gaAUBLmOk1u/DB/2i6sY34hbWlDC1yS6W6kMoIIW7U6FtpeILSC X-Received: by 2002:a25:4982:0:b0:dfd:b5e5:daae with SMTP id 3f1490d57ef6-dfe6655b3f9mr4789936276.5.1718277687182; Thu, 13 Jun 2024 04:21:27 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718277687; cv=pass; d=google.com; s=arc-20160816; b=diFJbVtHwNVuHmHfibT9oFJcA8gEt1J/4wKTDpUq8dorQ/rCc033bh0xu8lR/Mv4+0 q2Du7OdG9UOx57BOkD/JS7HAyUC2T8Egzt3YdgmJb4+wBhZT5DQU/i3G6PRzzM63OPFA fTv1yI0O27kbdQPz528qaOv0nNOvJaHCQw3hh0LLmLNpg78sUh1eDBcmFyBNsCE7REaO ZL/NplG7Rdt4AKm4CU7SkfY2zJffAZvRrInI6AGP9Bd/QrlDeloXW98rTM2YVsKP/f9i ZYNVm+4XqbOrTpMO+szGF0qElaKqyeav15BWInw/sNETLx5yAmguSYgFWcbjXzVQXBPQ K9pA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=y9FmMlcL70Zre2IJIKP9Ei7zXNd24nZaPImHlDZq9fU=; fh=MEf/12WzVZGwr9xQ5C7wxaYJTM8hmGm6uid8R1D/ShE=; b=KM/ncRDudug+PUnsH6dIuzlJcJecJxq7geHOyygwBNXs8Fnugw5PoTodKZX5Qep6kv lWsC4THsGU28c4q9+DZ/h+o1jkwmrmTn+qCZq/Xhpp5nfHbC9v8/dfBZvk7Mh6kUcol0 4XzPFoIYtxpmNiSsetmo9VN0uD6KGHr8H1NrduGP/u1YCA8VvMdoF/HYUOhBtEWs4dnf qayulu+khsBk7/gN1jWce00HAQYtS4qiMYXwCXhd4/KkcvMqtx2yIla9TOuP9MxAYein /SLMPaUxK76WmURIv3l4f8akXeGGCa9No27oG2gsD0vFUYIfoAXwduB0g1N+ZJwKVXql QAGQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-213084-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213084-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id d75a77b69052e-441eecbb00dsi13321791cf.0.2024.06.13.04.21.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jun 2024 04:21:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-213084-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-213084-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213084-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id DBAD71C243A8 for ; Thu, 13 Jun 2024 11:21:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F2665143741; Thu, 13 Jun 2024 11:21:20 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3555513C9DE; Thu, 13 Jun 2024 11:21:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.188 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718277680; cv=none; b=tS0oDMkorD+7gWq6UIdcxF2FwDP8xjxJZFPD37PtNq9X1nDeq67Dy0MYpE8VkXoWjVbUDIrzwlLM3AfeEh6z9ByaqIIWUsaO1OM1W+laOayZA1kkDlRPZaKV1eoyvR5Vztqk4hKvTfNsje6ndCxW5gNQZUhRSQQlwZbM27K0Kh4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718277680; c=relaxed/simple; bh=w65NFWvHF3S6KGS/xWduamOYfaVv2mSB1xd6evgSKds=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=nsYV8CSGKhPeKXk6jJZ5KY+zhMMjI5LChrnC4/oVVKvnfhvsvz6IuTaFJk6js6AUSrzrw1rAIdSB8oApTHbz3kvcVIabyLGdOHzG7qvuwd3zI++9o3q/hX/qgOxfDPAyxctZYx4L4UBTlSWPTNvBBKNi/uwuicZ68IBlzEVkkZI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.105]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4W0Kgl4JCVzdcJD; Thu, 13 Jun 2024 19:19:47 +0800 (CST) Received: from dggpeml100021.china.huawei.com (unknown [7.185.36.148]) by mail.maildlp.com (Postfix) with ESMTPS id 7283A140416; Thu, 13 Jun 2024 19:21:15 +0800 (CST) Received: from [10.174.177.174] (10.174.177.174) by dggpeml100021.china.huawei.com (7.185.36.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Thu, 13 Jun 2024 19:21:14 +0800 Message-ID: <362b1e1b-dcdb-4801-a9fc-18d019e7c775@huawei.com> Date: Thu, 13 Jun 2024 19:21:14 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: CVE-2024-36966: erofs: reliably distinguish block based and fscache mode To: Gao Xiang , , , CC: Greg Kroah-Hartman , Baokun Li , =?UTF-8?B?5p2o5LqM5Z2k?= References: <2024060804-CVE-2024-36966-8bbb@gregkh> <686626cd-7dcd-4931-bf55-108522b9bfeb@linux.alibaba.com> Content-Language: en-US From: Baokun Li In-Reply-To: <686626cd-7dcd-4931-bf55-108522b9bfeb@linux.alibaba.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpeml100021.china.huawei.com (7.185.36.148) On 2024/6/13 17:38, Gao Xiang wrote: > Hi, > > (+Cc Baokun Li) > > On 2024/6/8 20:53, Greg Kroah-Hartman wrote: >> Description >> =========== >> >> In the Linux kernel, the following vulnerability has been resolved: >> >> erofs: reliably distinguish block based and fscache mode >> >> When erofs_kill_sb() is called in block dev based mode, s_bdev may not >> have been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled, >> it will be mistaken for fscache mode, and then attempt to free an >> anon_dev >> that has never been allocated, triggering the following warning: >> >> ============================================ >> ida_free called for id=0 which is not allocated. >> WARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140 >> Modules linked in: >> CPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630 >> RIP: 0010:ida_free+0x134/0x140 >> Call Trace: >>   >>   erofs_kill_sb+0x81/0x90 >>   deactivate_locked_super+0x35/0x80 >>   get_tree_bdev+0x136/0x1e0 >>   vfs_get_tree+0x2c/0xf0 >>   do_new_mount+0x190/0x2f0 >>   [...] >> ============================================ >> >> Now when erofs_kill_sb() is called, erofs_sb_info must have been >> initialised, so use sbi->fsid to distinguish between the two modes. >> >> The Linux kernel CVE team has assigned CVE-2024-36966 to this issue. >> >> >> Affected and fixed versions >> =========================== >> >>     Fixed in 6.6.32 with commit f9b877a7ee31 >>     Fixed in 6.8.11 with commit dcdd49701e42 >>     Fixed in 6.9 with commit 7af2ae1b1531 > > For reference, this issue doesn't affect Linux kernel below 6.6. > > This behavior ("s_bdev may not be initialized in erofs_kill_sb()") > is introduced due to commit aca740cecbe5 ("fs: open block device after > superblock creation"). > > In other words, previously .kill_sb() was called only after > fill_super failed and problematic erofs_kill_sb() called due to > setup_bdev_super() failure can only happen since Linux 6.6. > > Thanks, > Gao Xiang Exactly! I'm so sorry I forgot to add the Fixes tag. Thanks, Baokun > >> >> Please see https://www.kernel.org for a full list of currently supported >> kernel versions by the kernel community. >> >> Unaffected versions might change over time as fixes are backported to >> older supported kernel versions.  The official CVE entry at >>     https://cve.org/CVERecord/?id=CVE-2024-36966 >> will be updated if fixes are backported, please check that for the most >> up to date information about this issue. >> >> >> Affected files >> ============== >> >> The file(s) affected by this issue are: >>     fs/erofs/super.c >> >> >> Mitigation >> ========== >> >> The Linux kernel CVE team recommends that you update to the latest >> stable kernel version for this, and many other bugfixes. Individual >> changes are never tested alone, but rather are part of a larger kernel >> release.  Cherry-picking individual commits is not recommended or >> supported by the Linux kernel community at all.  If however, updating to >> the latest release is impossible, the individual changes to resolve this >> issue can be found at these commits: >>     https://git.kernel.org/stable/c/f9b877a7ee312ec8ce17598a7ef85cb820d7c371 >> >>     https://git.kernel.org/stable/c/dcdd49701e429c55b3644fd70fc58d85745f8cfe >> >>     https://git.kernel.org/stable/c/7af2ae1b1531feab5d38ec9c8f472dc6cceb4606 >> >>