From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman To: Reply-to: , Subject: CVE-2024-35844: f2fs: compress: fix reserve_cblocks counting error when out of space Description =========== In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix reserve_cblocks counting error when out of space When a file only needs one direct_node, performing the following operations will cause the file to be unrepairable: unisoc # ./f2fs_io compress test.apk unisoc #df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.2M 100% /data unisoc # ./f2fs_io release_cblocks test.apk 924 unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 4.8M 100% /data unisoc # dd if=/dev/random of=file4 bs=1M count=3 3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.8M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device adb reboot unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 11M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk 0 This is because the file has only one direct_node. After returning to -ENOSPC, reserved_blocks += ret will not be executed. As a result, the reserved_blocks at this time is still 0, which is not the real number of reserved blocks. Therefore, fsck cannot be set to repair the file. After this patch, the fsck flag will be set to fix this problem. unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 1.8M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device adb reboot then fsck will be executed unisoc # df -h | grep dm-48 /dev/block/dm-48 112G 112G 11M 100% /data unisoc # ./f2fs_io reserve_cblocks test.apk 924 The Linux kernel CVE team has assigned CVE-2024-35844 to this issue. Affected and fixed versions =========================== Issue introduced in 5.8 with commit c75488fb4d82 and fixed in 5.15.153 with commit fa3ac8b1a227 Issue introduced in 5.8 with commit c75488fb4d82 and fixed in 6.1.83 with commit 889846dfc8ee Issue introduced in 5.8 with commit c75488fb4d82 and fixed in 6.6.23 with commit f0bf89e84c3a Issue introduced in 5.8 with commit c75488fb4d82 and fixed in 6.7.11 with commit 569c198c9e20 Issue introduced in 5.8 with commit c75488fb4d82 and fixed in 6.8.2 with commit fc0aed88afbf Issue introduced in 5.8 with commit c75488fb4d82 and fixed in 6.9 with commit 2f6d721e14b6 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-35844 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/f2fs/file.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/fa3ac8b1a227d9b470b87972494293348b5839ee https://git.kernel.org/stable/c/889846dfc8ee2cf31148a44bfd2faeb2faadc685 https://git.kernel.org/stable/c/f0bf89e84c3afb79d7a3a9e4bc853ad6a3245c0a https://git.kernel.org/stable/c/569c198c9e2093fd29cc071856a4e548fda506bc https://git.kernel.org/stable/c/fc0aed88afbf6f606205129a7466eebdf528e3f3 https://git.kernel.org/stable/c/2f6d721e14b69d6e1251f69fa238b48e8374e25f