UPDATED/Cmnt: [SRU][M/J/F][PATCH 0/1] CVE-2023-52603

Stefan Bader stefan.bader at canonical.com
Thu Mar 28 08:58:46 UTC 2024 

On 27.03.24 18:40, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   UBSAN: array-index-out-of-bounds in dtSplitRoot
> 
>   Syzkaller reported the following issue:
> 
>   oop0: detected capacity change from 0 to 32768
> 
>   UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9
>   index -2 is out of range for type 'struct dtslot [128]'
>   CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted
>   6.0.0-syzkaller-09423-g493ffd6605b2 #0
>   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>   Google 09/22/2022
>   Call Trace:
>    <TASK>
>    __dump_stack lib/dump_stack.c:88 [inline]
>    dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
>    ubsan_epilogue lib/ubsan.c:151 [inline]
>    __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
>    dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971
>    dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]
>    dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863
>    jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270
>    vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
>    do_mkdirat+0x279/0x550 fs/namei.c:4038
>    __do_sys_mkdirat fs/namei.c:4053 [inline]
>    __se_sys_mkdirat fs/namei.c:4051 [inline]
>    __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
>    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>    do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>    entry_SYSCALL_64_after_hwframe+0x63/0xcd
>   RIP: 0033:0x7fcdc0113fd9
>   Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
>   48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
>   ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
>   RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
>   RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9
>   RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
>   RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0
>   R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000
>   R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000
>    </TASK>
> 
>   The issue is caused when the value of fsi becomes less than -1.
>   The check to break the loop when fsi value becomes -1 is present
>   but syzbot was able to produce value less than -1 which cause the error.
>   This patch simply add the change for the values less than 0.
> 
>   The patch is tested via syzbot.
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick
> Jammy:	Mantic patch applied cleanly
> Focal:	Mantic patch applied cleanly
> Bionic:	fix sent to esm ML
> Xenial:	fix sent to esm ML
> Trusty:	not going to be fixed by us
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This affects those who use jfs, issues could occur when spliting
> the decision tree from the root resulting in overwritting the tree,
> but this fix is low risk since the change is very simple.
> 
> Osama Muhammad (1):
>    UBSAN: array-index-out-of-bounds in dtSplitRoot
> 
>   fs/jfs/jfs_dtree.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

This was already part of stable for 
mantic,jammy,focal:linux/master-next. I have updated the next branches 
to include the CVE number on those. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240328/4f66bf82/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240328/4f66bf82/attachment-0001.sig>

More information about the kernel-team mailing list