* Re: CVE-2024-46701: libfs: fix infinite directory reads for offset dir [not found] <b378c634-102f-e115-e925-0a20dc450ff7@huaweicloud.com> @ 2024-09-24 9:03 ` Greg KH 2024-09-24 9:44 ` Yu Kuai 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2024-09-24 9:03 UTC (permalink / raw) To: Yu Kuai Cc: yangerkun, chuck.lever, brauner, sashal, Coly Li, yukuai (C), linux-kernel, cve On Tue, Sep 24, 2024 at 03:35:33PM +0800, Yu Kuai wrote: > Hi, all! > > This is a request to close this CVE. > > First of all, I think this really is not a kernel BUG, the deadloop > only exist in user side and user must rename between each readdir > syscall: > > while (readdr() > 0) > rename() Sounds like a real thing that users can do, so why does this not fit the definition of "vulnerability" as documented by cve.org? > On the other hand, v6.6 is affected by this CVE, and this fix can't > be backported to v6.6 because the patchset [1] must be backported first > to expand offset from 32-bit to 64-bit.(This kind of refactor will > break kabi, hence it's not acceptable in our downstream kernels) That's your business decision, and does not affect if we do, or do not, assign a CVE at all. Go work with your management if you wish to change this as it does not pertain to the community in any way. thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2024-46701: libfs: fix infinite directory reads for offset dir 2024-09-24 9:03 ` CVE-2024-46701: libfs: fix infinite directory reads for offset dir Greg KH @ 2024-09-24 9:44 ` Yu Kuai 2024-09-24 12:13 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Yu Kuai @ 2024-09-24 9:44 UTC (permalink / raw) To: Greg KH, Yu Kuai Cc: yangerkun, chuck.lever, brauner, sashal, Coly Li, linux-kernel, cve, yukuai (C) Hi, 在 2024/09/24 17:03, Greg KH 写道: > On Tue, Sep 24, 2024 at 03:35:33PM +0800, Yu Kuai wrote: >> Hi, all! >> >> This is a request to close this CVE. >> >> First of all, I think this really is not a kernel BUG, the deadloop >> only exist in user side and user must rename between each readdir >> syscall: >> >> while (readdr() > 0) >> rename() > > Sounds like a real thing that users can do, so why does this not fit the > definition of "vulnerability" as documented by cve.org? If user want to trigger the deadloop that readdir never return 0, then user must keep rename inside this dir asynchronously and *never stop*, this looks like shooting oneself in the foot for me. > >> On the other hand, v6.6 is affected by this CVE, and this fix can't >> be backported to v6.6 because the patchset [1] must be backported first >> to expand offset from 32-bit to 64-bit.(This kind of refactor will >> break kabi, hence it's not acceptable in our downstream kernels) > > That's your business decision, and does not affect if we do, or do not, > assign a CVE at all. Go work with your management if you wish to change > this as it does not pertain to the community in any way. Yes, I understand, This is just the reason why I tried to close this CVE, please ignore this. BTW, if you still think this CVE is valid, can we bakport the refactor patchset to v6.6 as well? I can sent the patches to 6.6 lts, just let me know. Thanks, Kuai > > thanks, > > greg k-h > . > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2024-46701: libfs: fix infinite directory reads for offset dir 2024-09-24 9:44 ` Yu Kuai @ 2024-09-24 12:13 ` Greg KH 0 siblings, 0 replies; 4+ messages in thread From: Greg KH @ 2024-09-24 12:13 UTC (permalink / raw) To: Yu Kuai Cc: yangerkun, chuck.lever, brauner, sashal, Coly Li, linux-kernel, cve, yukuai (C) On Tue, Sep 24, 2024 at 05:44:29PM +0800, Yu Kuai wrote: > > > On the other hand, v6.6 is affected by this CVE, and this fix can't > > > be backported to v6.6 because the patchset [1] must be backported first > > > to expand offset from 32-bit to 64-bit.(This kind of refactor will > > > break kabi, hence it's not acceptable in our downstream kernels) > > > > That's your business decision, and does not affect if we do, or do not, > > assign a CVE at all. Go work with your management if you wish to change > > this as it does not pertain to the community in any way. > > Yes, I understand, This is just the reason why I tried to close this > CVE, please ignore this. > > BTW, if you still think this CVE is valid, can we bakport the refactor > patchset to v6.6 as well? I can sent the patches to 6.6 lts, just let me > know. Sure, send them on, we are always willing to review potential stable patches, to the stable@vger.kernel.org list. thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* CVE-2024-46701: libfs: fix infinite directory reads for offset dir
@ 2024-09-13 6:28 Greg Kroah-Hartman
0 siblings, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-13 6:28 UTC (permalink / raw)
To: linux-cve-announce; +Cc: Greg Kroah-Hartman
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
libfs: fix infinite directory reads for offset dir
After we switch tmpfs dir operations from simple_dir_operations to
simple_offset_dir_operations, every rename happened will fill new dentry
to dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free
key starting with octx->newx_offset, and then set newx_offset equals to
free key + 1. This will lead to infinite readdir combine with rename
happened at the same time, which fail generic/736 in xfstests(detail show
as below).
1. create 5000 files(1 2 3...) under one dir
2. call readdir(man 3 readdir) once, and get one entry
3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry)
4. loop 2~3, until readdir return nothing or we loop too many
times(tmpfs break test with the second condition)
We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite
directory reads") to fix it, record the last_index when we open dir, and
do not emit the entry which index >= last_index. The file->private_data
now used in offset dir can use directly to do this, and we also update
the last_index when we llseek the dir file.
[brauner: only update last_index after seek when offset is zero like Jan suggested]
The Linux kernel CVE team has assigned CVE-2024-46701 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.6 with commit a2e459555c5f and fixed in 6.10.7 with commit 308b4fc2403b
Issue introduced in 6.6 with commit a2e459555c5f and fixed in 6.11-rc4 with commit 64a7ce76fb90
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-46701
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/libfs.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/308b4fc2403b335894592ee9dc212a5e58bb309f
https://git.kernel.org/stable/c/64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a
^ permalink raw reply [flat|nested] 4+ messages in threadend of thread, other threads:[~2024-09-24 12:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <b378c634-102f-e115-e925-0a20dc450ff7@huaweicloud.com>
2024-09-24 9:03 ` CVE-2024-46701: libfs: fix infinite directory reads for offset dir Greg KH
2024-09-24 9:44 ` Yu Kuai
2024-09-24 12:13 ` Greg KH
2024-09-13 6:28 Greg Kroah-Hartman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.