Bug 1220691 (CVE-2021-47007)

Summary: VUL-0: CVE-2021-47007: kernel: f2fs: fix panic during f2fs_resize_fs()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: gabriele.sonnu
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395456/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-29 13:52:50 UTC 
In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix panic during f2fs_resize_fs()

f2fs_resize_fs() hangs in below callstack with testcase:
- mkfs 16GB image & mount image
- dd 8GB fileA
- dd 8GB fileB
- sync
- rm fileA
- sync
- resize filesystem to 8GB

kernel BUG at segment.c:2484!
Call Trace:
 allocate_segment_by_default+0x92/0xf0 [f2fs]
 f2fs_allocate_data_block+0x44b/0x7e0 [f2fs]
 do_write_page+0x5a/0x110 [f2fs]
 f2fs_outplace_write_data+0x55/0x100 [f2fs]
 f2fs_do_write_data_page+0x392/0x850 [f2fs]
 move_data_page+0x233/0x320 [f2fs]
 do_garbage_collect+0x14d9/0x1660 [f2fs]
 free_segment_range+0x1f7/0x310 [f2fs]
 f2fs_resize_fs+0x118/0x330 [f2fs]
 __f2fs_ioctl+0x487/0x3680 [f2fs]
 __x64_sys_ioctl+0x8e/0xd0
 do_syscall_64+0x33/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The root cause is we forgot to check that whether we have enough space
in resized filesystem to store all valid blocks in before-resizing
filesystem, then allocator will run out-of-space during block migration
in free_segment_range().

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47007
https://git.kernel.org/stable/c/1c20a4896409f5ca1c770e1880c33d0a28a8b10f
https://git.kernel.org/stable/c/3ab0598e6d860ef49d029943ba80f627c15c15d6
https://git.kernel.org/stable/c/822054e5026c43b1dd60cf387dd999e95ee2ecc2
https://git.kernel.org/stable/c/860afd680d9cc1dabd61cda3cd246f60aa1eb705
https://www.cve.org/CVERecord?id=CVE-2021-47007
https://bugzilla.redhat.com/show_bug.cgi?id=2266854
Comment 1 Gabriele Sonnu 2024-02-29 13:53:14 UTC 
We don't ship F2FS. Closing.