Bug 1224594 (CVE-2024-35844)

Summary: VUL-0: CVE-2024-35844: kernel: f2fs: compress: fix reserve_cblocks counting error when out of space
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ailiopoulos, gabriele.sonnu
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/406456/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-35844:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-20 15:29:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

f2fs: compress: fix reserve_cblocks counting error when out of space

When a file only needs one direct_node, performing the following
operations will cause the file to be unrepairable:

unisoc # ./f2fs_io compress test.apk
unisoc #df -h | grep dm-48
/dev/block/dm-48 112G 112G 1.2M 100% /data

unisoc # ./f2fs_io release_cblocks test.apk
924
unisoc # df -h | grep dm-48
/dev/block/dm-48 112G 112G 4.8M 100% /data

unisoc # dd if=/dev/random of=file4 bs=1M count=3
3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s
unisoc # df -h | grep dm-48
/dev/block/dm-48 112G 112G 1.8M 100% /data

unisoc # ./f2fs_io reserve_cblocks test.apk
F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device

adb reboot
unisoc # df -h  | grep dm-48
/dev/block/dm-48             112G 112G   11M 100% /data
unisoc # ./f2fs_io reserve_cblocks test.apk
0

This is because the file has only one direct_node. After returning
to -ENOSPC, reserved_blocks += ret will not be executed. As a result,
the reserved_blocks at this time is still 0, which is not the real
number of reserved blocks. Therefore, fsck cannot be set to repair
the file.

After this patch, the fsck flag will be set to fix this problem.

unisoc # df -h | grep dm-48
/dev/block/dm-48             112G 112G  1.8M 100% /data
unisoc # ./f2fs_io reserve_cblocks test.apk
F2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device

adb reboot then fsck will be executed
unisoc # df -h  | grep dm-48
/dev/block/dm-48             112G 112G   11M 100% /data
unisoc # ./f2fs_io reserve_cblocks test.apk
924

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35844
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-35844.mbox
https://git.kernel.org/stable/c/fa3ac8b1a227d9b470b87972494293348b5839ee
https://git.kernel.org/stable/c/889846dfc8ee2cf31148a44bfd2faeb2faadc685
https://git.kernel.org/stable/c/f0bf89e84c3afb79d7a3a9e4bc853ad6a3245c0a
https://git.kernel.org/stable/c/569c198c9e2093fd29cc071856a4e548fda506bc
https://git.kernel.org/stable/c/fc0aed88afbf6f606205129a7466eebdf528e3f3
https://git.kernel.org/stable/c/2f6d721e14b69d6e1251f69fa238b48e8374e25f
https://www.cve.org/CVERecord?id=CVE-2024-35844
https://bugzilla.redhat.com/show_bug.cgi?id=2281274
Comment 1 Anthony Iliopoulos 2024-05-20 16:17:51 UTC 
we don't support f2fs in any branch, nothing to do here. assigning back to sec.
Comment 2 Andrea Mattiazzo 2024-05-29 12:25:25 UTC 
All done, closing.