From: Ryusuke Konishi konishi.ryusuke@gmail.com
mainline inclusion from mainline-v6.0-rc3 commit 21a87d88c2253350e115029f14fe2a10a7e6c856 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4 CVE: CVE-2022-3621
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If the i_mode field in inode of metadata files is corrupted on disk, it can cause the initialization of bmap structure, which should have been called from nilfs_read_inode_common(), not to be called. This causes a lockdep warning followed by a NULL pointer dereference at nilfs_bmap_lookup_at_level().
This patch fixes these issues by adding a missing sanitiy check for the i_mode field of metadata file's inode.
Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi konishi.ryusuke@gmail.com Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com Reported-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Tested-by: Ryusuke Konishi konishi.ryusuke@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Long Li leo.lilong@huawei.com --- fs/nilfs2/inode.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index ca380c6d7825..bfe3c7ccdf50 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -462,6 +462,8 @@ int nilfs_read_inode_common(struct inode *inode, inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec); inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); + if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode)) + return -EIO; /* this inode is for metadata and corrupted */ if (inode->i_nlink == 0) return -ESTALE; /* this inode is deleted */
On Tue, Nov 01, 2022 at 07:43:37PM +0800, Long Li wrote:
From: Ryusuke Konishi konishi.ryusuke@gmail.com
mainline inclusion from mainline-v6.0-rc3 commit 21a87d88c2253350e115029f14fe2a10a7e6c856 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4 CVE: CVE-2022-3621
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
If the i_mode field in inode of metadata files is corrupted on disk, it can cause the initialization of bmap structure, which should have been called from nilfs_read_inode_common(), not to be called. This causes a lockdep warning followed by a NULL pointer dereference at nilfs_bmap_lookup_at_level().
This patch fixes these issues by adding a missing sanitiy check for the i_mode field of metadata file's inode.
Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi konishi.ryusuke@gmail.com Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com Reported-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Tested-by: Ryusuke Konishi konishi.ryusuke@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Long Li leo.lilong@huawei.com
fs/nilfs2/inode.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index ca380c6d7825..bfe3c7ccdf50 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -462,6 +462,8 @@ int nilfs_read_inode_common(struct inode *inode, inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec); inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
- if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode))
if (inode->i_nlink == 0) return -ESTALE; /* this inode is deleted */return -EIO; /* this inode is for metadata and corrupted */
2.31.1
Please skip this email, I made a mistake in my email, I'm very sorry for my misoperation.
On 11/1/22 18:43, Long Li wrote:
From: Ryusuke Konishi konishi.ryusuke@gmail.com
mainline inclusion from mainline-v6.0-rc3 commit 21a87d88c2253350e115029f14fe2a10a7e6c856 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4 CVE: CVE-2022-3621
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
Backporting for downstream kernel based on what version?
linux-stable-mirror@lists.linaro.org