Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp161394lqs; Thu, 13 Jun 2024 06:56:12 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUKUVTQkhnpypTf+Rd3IyZ9jzxydAD2BgYVjYcL9n/caf+Rkod65EVO24lMKQMUmmpwQZbvd5ZP1NKJP3QRdtk5kkN2I+X5dJfb06QWGA== X-Google-Smtp-Source: AGHT+IFZF3G4beJCKxJEvFejDRcFArg9SShNLbbpVuDIEO5UYlnypu7ko4ducOCv3XfPlviO1L6y X-Received: by 2002:a05:620a:4407:b0:795:5d6a:34f0 with SMTP id af79cd13be357-797f612993dmr514322185a.75.1718286972702; Thu, 13 Jun 2024 06:56:12 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718286972; cv=pass; d=google.com; s=arc-20160816; b=WelPZVGn4Wx/kjaMVRN8qXE3eTUvZPEFACcGOzEXy2EDGODXJ4mOwbz+mTMw6/aXZ5 K844DNkDyL+TDWiqRE07g/wB5iIciYud4bDfMM6fNBwhg7NXIeT5mgaQHuay0GWdBhPm CNh7mEr1A+GkJquOrF4r+Q3PTuVHvoITXPErKQ1fQ/BW8CSnCbUjfXjKi/XJzWlt1iUc NWTVRUWAfM/s+dvZBgC2TizQlPJbCpHPZxCpFpUCbotdfx2+5gKU7feRy+yEj2e1V8Ob MlPXJdre9PJmv6kvP4dslBpCG7lpO2ImlF3nCf4eyYiXaurZ0gL2vSBkO9DKjiTU9C7P zZyA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=sBVhO4LRon5TqpBszpHyIG2MkSq+fDONIz099hRTmYk=; fh=ln8EUpsx6cRiQlM8EEenNZ5Cleqyctb8GNP1GH7DXPM=; b=yPxjSv6FNA2oDEMJYMqa2pgLqi03hQPmVnsBJnsJAzf4VHkCZHqkyUXPWoHOdtE3fR XXzb2XjmcFGkvV6joEkXi9GEHgSv6VKED3IB70zQSBcqQVsv5ADGfNGlTxjZYXYE410J b2U/n+hcz9pVR+pqOPT6bb7JN3XxrzUMayyqs9f+utce/0C5eUt0JfKfCY3IFtzqdrvO 9sYPGJ2ukVri217YRm41M/+ZLw2YfjbAddtzD4v7VEblpOhnYB/a3lNSqboERERiLWK4 QSKg30TgqzHh4S3S8YVNTqezYtvoJTk+NvafTVhENNRVaJSE3fsGpjCqJqaIk/lx+M6S NseA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fpwTG4bq; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-213382-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213382-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id af79cd13be357-798aadc4107si138224785a.191.2024.06.13.06.56.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jun 2024 06:56:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-213382-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fpwTG4bq; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-213382-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213382-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6B17F1C24998 for ; Thu, 13 Jun 2024 13:56:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7101D145A03; Thu, 13 Jun 2024 13:55:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="fpwTG4bq" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91D32143C7E; Thu, 13 Jun 2024 13:55:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718286952; cv=none; b=NmBcAzHW5yM+vZJYz1T43r6Zo7nNfPoVP2q8UU8p9BsIs0lLDQ7GlW6VFhFG/vcSRR0t0nWzpZTftLkMf1JK0qgPeFBzcx9KY7Hi5Y7gyW1Rz/gpJEp4sXsg2aN7jrpeUqU4R56oNcwGojFvcbT2fgUv12tmQD6gb95j6RVbqQg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718286952; c=relaxed/simple; bh=ruBhMiNrl6DWKM+LJobAh8HCSYRSg0kc1KeRJYgKkuA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=OibjCcJKA92p+UPyEdQRJWch6zbe5rswRKNEB/eKNlQ2VdFRvfouw/m7KYCbacUQgQYQ/v1B90w7PoZ5Sc6crZvo/JwBopE259kHjItW+zZRiP7njwAY8gceYHMfTbBOtI/f0K4a9PEOdYbNwfYxMaBnKM/2wGhYFI6OkuVeEOw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=fpwTG4bq; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB8A3C32786; Thu, 13 Jun 2024 13:55:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1718286952; bh=ruBhMiNrl6DWKM+LJobAh8HCSYRSg0kc1KeRJYgKkuA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=fpwTG4bqx7o8i7zCV8Z519l65VnUMnC63A8fjcvNMdC9ev1OhZFvYQV7AFG5chf9s i0uCDRith0rsmrgNttnoD6OUJioB80fqaxUTsFDyQT5ahajhvlJY3WznC2jzLJPsch OxWZjXNU1XAcGNxDE3Y2Yv8X0FecobYFOHZkluJ0= Date: Thu, 13 Jun 2024 15:55:49 +0200 From: Greg Kroah-Hartman To: Baokun Li Cc: Gao Xiang , cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org, Baokun Li , =?utf-8?B?5p2o5LqM5Z2k?= Subject: Re: CVE-2024-36966: erofs: reliably distinguish block based and fscache mode Message-ID: <2024061323-ibuprofen-dreamy-ae0b@gregkh> References: <2024060804-CVE-2024-36966-8bbb@gregkh> <686626cd-7dcd-4931-bf55-108522b9bfeb@linux.alibaba.com> <362b1e1b-dcdb-4801-a9fc-18d019e7c775@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <362b1e1b-dcdb-4801-a9fc-18d019e7c775@huawei.com> On Thu, Jun 13, 2024 at 07:21:14PM +0800, Baokun Li wrote: > On 2024/6/13 17:38, Gao Xiang wrote: > > Hi, > > > > (+Cc Baokun Li) > > > > On 2024/6/8 20:53, Greg Kroah-Hartman wrote: > > > Description > > > =========== > > > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > > > erofs: reliably distinguish block based and fscache mode > > > > > > When erofs_kill_sb() is called in block dev based mode, s_bdev may not > > > have been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled, > > > it will be mistaken for fscache mode, and then attempt to free an > > > anon_dev > > > that has never been allocated, triggering the following warning: > > > > > > ============================================ > > > ida_free called for id=0 which is not allocated. > > > WARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140 > > > Modules linked in: > > > CPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630 > > > RIP: 0010:ida_free+0x134/0x140 > > > Call Trace: > > > ? > > > ? erofs_kill_sb+0x81/0x90 > > > ? deactivate_locked_super+0x35/0x80 > > > ? get_tree_bdev+0x136/0x1e0 > > > ? vfs_get_tree+0x2c/0xf0 > > > ? do_new_mount+0x190/0x2f0 > > > ? [...] > > > ============================================ > > > > > > Now when erofs_kill_sb() is called, erofs_sb_info must have been > > > initialised, so use sbi->fsid to distinguish between the two modes. > > > > > > The Linux kernel CVE team has assigned CVE-2024-36966 to this issue. > > > > > > > > > Affected and fixed versions > > > =========================== > > > > > > ????Fixed in 6.6.32 with commit f9b877a7ee31 > > > ????Fixed in 6.8.11 with commit dcdd49701e42 > > > ????Fixed in 6.9 with commit 7af2ae1b1531 > > > > For reference, this issue doesn't affect Linux kernel below 6.6. > > > > This behavior ("s_bdev may not be initialized in erofs_kill_sb()") > > is introduced due to commit aca740cecbe5 ("fs: open block device after > > superblock creation"). > > > > In other words, previously .kill_sb() was called only after > > fill_super failed and problematic erofs_kill_sb() called due to > > setup_bdev_super() failure can only happen since Linux 6.6. > > > > Thanks, > > Gao Xiang > > Exactly! I'm so sorry I forgot to add the Fixes tag. No worries. I've updated the CVE database with this information and the json file and web site will show the new information soon when it gets propagated. thanks, greg k-h