Bug 1211742 (CVE-2023-2898)

Summary: VUL-0: CVE-2023-2898: kernel: A null-ptr-deref bug in f2fs_write_end_io in fs/f2fs/data.c
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ailiopoulos, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/367493/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-2898:4.1:(AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2023-05-26 07:34:27 UTC 
There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.

Refer:
https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao@kernel.org/

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2898
https://bugzilla.redhat.com/show_bug.cgi?id=2210102
Comment 1 Gabriele Sonnu 2023-05-26 07:40:20 UTC 
From the patch [0]:

> Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress")

b4b10061ef98 is found in 

- SLE15-SP4
- SLE15-SP5
- SLE15-SP5-GA
- stable

[0] https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao@kernel.org/
Comment 2 Anthony Iliopoulos 2023-05-26 13:53:08 UTC 
We don't support f2fs, and do not even compile it at all for SLE (see bsc#1109665). We also blacklist it in git-fixes, so we don't receive/handle backports.
Comment 3 Gabriele Sonnu 2023-05-26 16:05:04 UTC 
Thanks Anthony, I've updated our tracking. Closing this.
Comment 4 Anthony Iliopoulos 2023-05-26 20:23:33 UTC 
(In reply to Gabriele Sonnu from comment #3)
> Thanks Anthony, I've updated our tracking. Closing this.

Thank you Grabriele. Does this mean you specifically marked this particular CVE as invalid or in general blacklisted everything related to f2fs for the future?

If the latter, then this perhaps need to be done on a per-branch basis (since maybe we still have older SLE releases where f2fs was still supported, or maybe on newer SLE releases the decision changes and we start supporting it).

For SLE15-SP4 (for example), you could perhaps consult the git-fixes blacklist [1].

[1] https://kerncvs.suse.de/gitweb/?p=kernel-source.git;a=blob;f=blacklist.conf;h=10d5cb4979d735807cc0a899d71f71b65a0717e2;hb=refs/heads/SLE15-SP4#l58
Comment 5 Gabriele Sonnu 2023-05-29 07:57:25 UTC 
(In reply to Anthony Iliopoulos from comment #4)
> Does this mean you specifically marked this particular
> CVE as invalid or in general blacklisted everything related to f2fs for the
> future?

The former, we don't have a way to blacklist components in our tracking system.