Fixed
Created: Jun 19, 2024
Updated: Jun 25, 2024
Resolved Date: Jun 24, 2024
Found In Version: 10.22.33.1
Fix Version: 10.22.33.17
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:jffs2: prevent xattr node from overflowing the eraseblockAdd a check to make sure that the requested xattr node size is no largerthan the eraseblock minus the cleanmarker.Unlike the usual inode nodes, the xattr nodes aren't split into partsand spread across multiple eraseblocks, which means that a xattr nodemust not occupy more than one eraseblock. If the requested xattr value istoo large, the xattr node can spill onto the next eraseblock, overwritingthe nodes and causing errors such as:jffs2: argh. node added in wrong place at 0x0000b050(2)jffs2: nextblock 0x0000a000, expected at 0000b00cjffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,read=0xfc892c93, calc=0x000000jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failedat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}jffs2: Node at 0x0000000c with length 0x00001044 would run over theend of the erase blockjffs2: Perhaps the file system was created with the wrong erase size?jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not foundat 0x00000010: 0x1044 insteadThis breaks the filesystem and can lead to KASAN crashes such as:BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0Read of size 4 at addr ffff88802c31e914 by task repro/830CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),BIOS Arch Linux 1.16.3-1-1 04/01/2014Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ...]Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CREATE(Triage):(User=admin) [CVE-2024-38599 (https://nvd.nist.gov/vuln/detail/CVE-2024-38599)
