Re: CVE-2024-47725: dm-verity: restart or panic on an I/O error

Re: CVE-2024-47725: dm-verity: restart or panic on an I/O error

[Li Lingfeng]

Hi

I noticed that the fix patch for this CVE has been reverted by commit
462763212dd7("Revert: "dm-verity: restart or panic on an I/O error"").
So should this CVE also be rejected?

Thanks

在 2024/10/21 20:16, Greg Kroah-Hartman 写道:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> dm-verity: restart or panic on an I/O error
>
> Maxim Suhanov reported that dm-verity doesn't crash if an I/O error
> happens. In theory, this could be used to subvert security, because an
> attacker can create sectors that return error with the Write Uncorrectable
> command. Some programs may misbehave if they have to deal with EIO.
>
> This commit fixes dm-verity, so that if "panic_on_corruption" or
> "restart_on_corruption" was specified and an I/O error happens, the
> machine will panic or restart.
>
> This commit also changes kernel_restart to emergency_restart -
> kernel_restart calls reboot notifiers and these reboot notifiers may wait
> for the bio that failed. emergency_restart doesn't call the notifiers.
>
> The Linux kernel CVE team has assigned CVE-2024-47725 to this issue.
>
>
> Affected and fixed versions
> ===========================
>
> 	Fixed in 6.6.54 with commit cada2646b748
> 	Fixed in 6.10.13 with commit b332bcca5914
> 	Fixed in 6.11.2 with commit 338b32a232bb
> 	Fixed in 6.12-rc1 with commit e6a3531dd542
>
> Please see https://www.kernel.org for a full list of currently supported
> kernel versions by the kernel community.
>
> Unaffected versions might change over time as fixes are backported to
> older supported kernel versions.  The official CVE entry at
> 	https://cve.org/CVERecord/?id=CVE-2024-47725
> will be updated if fixes are backported, please check that for the most
> up to date information about this issue.
>
>
> Affected files
> ==============
>
> The file(s) affected by this issue are:
> 	drivers/md/dm-verity-target.c
>
>
> Mitigation
> ==========
>
> The Linux kernel CVE team recommends that you update to the latest
> stable kernel version for this, and many other bugfixes.  Individual
> changes are never tested alone, but rather are part of a larger kernel
> release.  Cherry-picking individual commits is not recommended or
> supported by the Linux kernel community at all.  If however, updating to
> the latest release is impossible, the individual changes to resolve this
> issue can be found at these commits:
> 	https://git.kernel.org/stable/c/cada2646b7483cce370eb3b046659df31d9d34d1
> 	https://git.kernel.org/stable/c/b332bcca59143cfdd000957f8b78c28dd2ac1da4
> 	https://git.kernel.org/stable/c/338b32a232bbee39e52dd1486cbc0c9f458d4d69
> 	https://git.kernel.org/stable/c/e6a3531dd542cb127c8de32ab1e54a48ae19962b

Re: CVE-2024-47725: dm-verity: restart or panic on an I/O error

[Greg Kroah-Hartman]

On Wed, Oct 23, 2024 at 09:37:26AM +0800, Li Lingfeng wrote:
> Hi
> 
> I noticed that the fix patch for this CVE has been reverted by commit
> 462763212dd7("Revert: "dm-verity: restart or panic on an I/O error"").
> So should this CVE also be rejected?

Yes it should, as the revert happened in the same releases.  I'll go do
that now, thanks for the review!

greg k-h