In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: romfs: verificar el valor de retorno de sb_set_blocksize() romfs_fill_super() ignora el valor de retorno de sb_set_blocksize(), lo cual puede fallar si el tamaño de bloque solicitado es incompatible con la configuración del dispositivo de bloques. Esto puede ser activado al establecer el tamaño de bloque de un dispositivo de bucle mayor que PAGE_SIZE usando ioctl(LOOP_SET_BLOCK_SIZE, 32768), y luego montando un sistema de archivos romfs en ese dispositivo. Cuando se llama a sb_set_blocksize(sb, ROMBSIZE) con ROMBSIZE=4096 pero el dispositivo tiene logical_block_size=32768, bdev_validate_blocksize() falla porque el tamaño solicitado es menor que el tamaño de bloque lógico del dispositivo. sb_set_blocksize() devuelve 0 (falla), pero romfs ignora esto y continúa el montaje. El tamaño de bloque del superbloque permanece en el tamaño de bloque lógico del dispositivo (32768). Más tarde, cuando sb_bread() intenta E/S con este tamaño de bloque sobredimensionado, activa un BUG del kernel en folio_set_bh(): BUG del kernel en fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Solución al verificar el valor de retorno de sb_set_blocksize() y fallar el montaje con -EINVAL si devuelve 0.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-617
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76011b2500> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f763806b900> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76004f6440> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76011b0500> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f7638068e80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f7638069dc0> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x7f76027f6380> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x7f76027f5700> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x7f763806b040> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x7f7638068d80> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x7f763a7e2fc0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f763806adc0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f7670543780> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f763806be80> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f76027f5380> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f7637eaf780> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f76027f5f40> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f763806bc80> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |