Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp168638lqs; Thu, 13 Jun 2024 07:05:51 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVF4wul/iYqzjMXHxCPcFah0eyMl4/qSuxLMvZPkr/hhakcbs6ogOJWDrEqZz2uHSJR+7wmwpOHq55vndh81zs589YaUD/J+OmoWoYEqQ== X-Google-Smtp-Source: AGHT+IGuNwOj7tKLM8IIhpnpYn/uskJuzcVQ7A2VoSbN03BuS0ysKjwusAPbhiBDmeJtF2z6Wirr X-Received: by 2002:a05:6a00:888:b0:705:98d4:6220 with SMTP id d2e1a72fcca58-705bcedfa39mr5565037b3a.30.1718287551096; Thu, 13 Jun 2024 07:05:51 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718287551; cv=pass; d=google.com; s=arc-20160816; b=r2HGXsGi1VtSKxlIZLD7yqGcvGe787T2mQeIYhY7A4DWWVq9JFN1F8KK6r6tHhdS+v lNcUQGIFcZ2agM7LGtWzxvNfxQ2m9aiKvODXLhdJgZXSDvy91IKlYHjb5pumn7qjy3Nq 5h08nL5LGbNxbrZtYU959apnJe72M6urluiDkKMv9Je7uTvutzuJseFibQnloOGRqwIL dJqPXK68qgyrqmgZN6aeUSxzxnhGFZF5gGgVsnNuTB4yNHDxWTj9pnWhDg6ErGbpk9zt 9PVQZlWJmfhAFCeEhSPFqZXJEXaYEyAKDjsWKROyxPzXiGxU5jq7M6jcuIDjxBBdpZ9/ LbbQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=LC5kGwxw97bKXl9pY4gyGvcGq4MBPDGuZoZlHc7muzA=; fh=m9fgGaSIA+HP9aqpaYl/CyGkqJ/hRjUHaYz7+ZezJWs=; b=Ir1kESoRAOYqiJ+g+AasogPKqU99MmitvvT9IIu75q2iQMOe/aXeHtj4rgkE4qVjW7 bZISCOprArRI8WCpz6WMCc8TjU/KzQHqrLQ/lgJNweV5WbOogsD7/3FdWPpprUvLWqGU 12clhBvkoXJ8cnNRyHjlsRpc0CE5OE5pWwsWpgry97LOhbegqN0ZCVh5lC5OPK9KijE7 hQXkGbDNJXePoG1M7OS7IzN+l7zt0Q859jV2JR1G6Dt18ZiHlEEzH+mIzWcfse7wzBkf ow2Xp1DG2qaB4Ef4f+NMfvBMjZaE+ZsoMDk0RRp8Uqln9/MaatA7xSfkCtefsrErAcWx O4vQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-213391-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213391-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 41be03b00d2f7-6fee558cc35si1443882a12.707.2024.06.13.07.05.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jun 2024 07:05:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-213391-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-213391-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-213391-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 39D4C284CDE for ; Thu, 13 Jun 2024 14:03:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F1E0E1459F7; Thu, 13 Jun 2024 14:02:48 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62E80C8C7; Thu, 13 Jun 2024 14:02:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.188 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718287368; cv=none; b=fpXNGgz+1ardcXrod2Ky8QdT/Nw5QpPeBHtRc1OsWrqqXXe33w+qMEknMB9Hd5/FcyN82HAxicB9uG3sqGDagp/KYPhL9b3ctXFEiLCkr7NNRqfLuIDI9uQqCkN06KJtzvwKU1zIufdCClwgHy7kVFsReoAwLKA/rib09ohIOI4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718287368; c=relaxed/simple; bh=ba31KMcH9Sse/E6nlGBlFa3LctbVyEL7XIQ4TSKCYZM=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=mxX5eH4U1kSPfrI1rbAJuvus/4cUC9TfBhB/jc5etkFUbaxNluGooM9F4LQkGT49dh/gqWbraKI7XetnM91tdVqdbMHKG7zcB79uCUIUvE2dm+Ro1TcfolSqCXVbSlmF/JsB9LrFA8b78a195+iYh1p/zRXtJPPtQxnhXZBCVDQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.163.48]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4W0PG21FHXzdcjZ; Thu, 13 Jun 2024 22:01:14 +0800 (CST) Received: from dggpeml100021.china.huawei.com (unknown [7.185.36.148]) by mail.maildlp.com (Postfix) with ESMTPS id 1584F18007C; Thu, 13 Jun 2024 22:02:42 +0800 (CST) Received: from [10.174.177.174] (10.174.177.174) by dggpeml100021.china.huawei.com (7.185.36.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Thu, 13 Jun 2024 22:02:41 +0800 Message-ID: <935974c5-89b1-4811-bdef-6652937829a1@huawei.com> Date: Thu, 13 Jun 2024 22:02:41 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: CVE-2024-36966: erofs: reliably distinguish block based and fscache mode To: Greg Kroah-Hartman CC: Gao Xiang , , , , Baokun Li , References: <2024060804-CVE-2024-36966-8bbb@gregkh> <686626cd-7dcd-4931-bf55-108522b9bfeb@linux.alibaba.com> <362b1e1b-dcdb-4801-a9fc-18d019e7c775@huawei.com> <2024061323-ibuprofen-dreamy-ae0b@gregkh> Content-Language: en-US From: Baokun Li In-Reply-To: <2024061323-ibuprofen-dreamy-ae0b@gregkh> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggpeml100021.china.huawei.com (7.185.36.148) On 2024/6/13 21:55, Greg Kroah-Hartman wrote: > On Thu, Jun 13, 2024 at 07:21:14PM +0800, Baokun Li wrote: >> On 2024/6/13 17:38, Gao Xiang wrote: >>> Hi, >>> >>> (+Cc Baokun Li) >>> >>> On 2024/6/8 20:53, Greg Kroah-Hartman wrote: >>>> Description >>>> =========== >>>> >>>> In the Linux kernel, the following vulnerability has been resolved: >>>> >>>> erofs: reliably distinguish block based and fscache mode >>>> >>>> When erofs_kill_sb() is called in block dev based mode, s_bdev may not >>>> have been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled, >>>> it will be mistaken for fscache mode, and then attempt to free an >>>> anon_dev >>>> that has never been allocated, triggering the following warning: >>>> >>>> ============================================ >>>> ida_free called for id=0 which is not allocated. >>>> WARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140 >>>> Modules linked in: >>>> CPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630 >>>> RIP: 0010:ida_free+0x134/0x140 >>>> Call Trace: >>>>   >>>>   erofs_kill_sb+0x81/0x90 >>>>   deactivate_locked_super+0x35/0x80 >>>>   get_tree_bdev+0x136/0x1e0 >>>>   vfs_get_tree+0x2c/0xf0 >>>>   do_new_mount+0x190/0x2f0 >>>>   [...] >>>> ============================================ >>>> >>>> Now when erofs_kill_sb() is called, erofs_sb_info must have been >>>> initialised, so use sbi->fsid to distinguish between the two modes. >>>> >>>> The Linux kernel CVE team has assigned CVE-2024-36966 to this issue. >>>> >>>> >>>> Affected and fixed versions >>>> =========================== >>>> >>>>     Fixed in 6.6.32 with commit f9b877a7ee31 >>>>     Fixed in 6.8.11 with commit dcdd49701e42 >>>>     Fixed in 6.9 with commit 7af2ae1b1531 >>> For reference, this issue doesn't affect Linux kernel below 6.6. >>> >>> This behavior ("s_bdev may not be initialized in erofs_kill_sb()") >>> is introduced due to commit aca740cecbe5 ("fs: open block device after >>> superblock creation"). >>> >>> In other words, previously .kill_sb() was called only after >>> fill_super failed and problematic erofs_kill_sb() called due to >>> setup_bdev_super() failure can only happen since Linux 6.6. >>> >>> Thanks, >>> Gao Xiang >> Exactly! I'm so sorry I forgot to add the Fixes tag. > No worries. I've updated the CVE database with this information and the > json file and web site will show the new information soon when it gets > propagated. > > thanks, > > greg k-h Thank you very much for the update! -- With Best Regards, Baokun Li