CVE-2024-46701 Information

Sep 14, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

libfs: fix infinite directory reads for offset dir

After we switch tmpfs dir operations from simple_dir_operations to simple_offset_dir_operations every rename happened will fill new dentry to dest dir’s maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free key starting with octx->newx_offset and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time which fail generic/736 in xfstests(detail show as below).

  1. create 5000 files(1 2 3…) under one dir
  2. call readdir(man 3 readdir) once and get one entry
  3. rename(entry \TEMPFILE) then rename(\TEMPFILE\ entry)
  4. loop 2~3 until readdir return nothing or we loop too many times(tmpfs break test with the second condition)

We choose the same logic what commit 9b378f6ad48cf (trfs: fix infinite directory reads) to fix it record the last_index when we open dir and do not emit the entry which index >= last_index. The file->private_data now used in offset dir can use directly to do this and we also update the last_index when we llseek the dir file.

[brauner: only update last_index after seek when offset is zero like Jan suggested]

Reference

https://git.kernel.org/stable/c/308b4fc2403b335894592ee9dc212a5e58bb309f https://git.kernel.org/stable/c/64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a

Share on: