CVE-2024-53130 Information

Description

In the Linux kernel the following vulnerability has been resolved:

nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint

When using the lock:block_dirty_buffer\ tracepoint mark_buffer_dirty() may cause a NULL pointer dereference or a general protection fault when KASAN is enabled.

This happens because since the tracepoint was added in mark_buffer_dirty() it references the dev_t member bh->b_bdev->bd_dev regardless of whether the buffer head has a pointer to a block_device structure.

In the current implementation nilfs_grab_buffer() which grabs a buffer to read (or create) a block of metadata including b-tree node blocks does not set the block device but instead does so only if the buffer is not in the �ptodate\ state for each of its caller block reading functions. However if the uptodate flag is set on a folio/page and the buffer heads are detached from it by try_to_free_buffers() and new buffer heads are then attached by create_empty_buffers() the uptodate flag may be restored to each buffer without the block device being set to bh->b_bdev and mark_buffer_dirty() may be called later in that state resulting in the bug mentioned above.

Fix this issue by making nilfs_grab_buffer() always set the block device of the super block structure to the buffer head regardless of the state of the buffer’s uptodate flag.

Reference

https://git.kernel.org/stable/c/2026559a6c4ce34db117d2db8f710fe2a9420d5a https://git.kernel.org/stable/c/86b19031dbc79abc378dfae357f6ea33ebeb0c95 https://git.kernel.org/stable/c/b0e4765740040c44039282057ecacd7435d1d2ba https://git.kernel.org/stable/c/ffc440a76a0f476a7e6ea838ec0dc8e9979944d1