CVE-2024-53131 Information

Description

In the Linux kernel the following vulnerability has been resolved:

nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint

Patch series ilfs2: fix null-ptr-deref bugs on block tracepoints.

This series fixes null pointer dereference bugs that occur when using nilfs2 and two block-related tracepoints.

This patch (of 2):

It has been reported that when using lock:block_touch_buffer\ntracepoint touch_buffer() called from __nilfs_get_folio_block() causes a NULL pointer dereference or a general protection fault when KASAN is enabled.

This happens because since the tracepoint was added in touch_buffer() it references the dev_t member bh->b_bdev->bd_dev regardless of whether the buffer head has a pointer to a block_device structure. In the current implementation the block_device structure is set after the function returns to the caller.

Here touch_buffer() is used to mark the folio/page that owns the buffer head as accessed but the common search helper for folio/page used by the caller function was optimized to mark the folio/page as accessed when it was reimplemented a long time ago eliminating the need to call touch_buffer() here in the first place.

So this solves the issue by eliminating the touch_buffer() call itself.

Reference

https://git.kernel.org/stable/c/3b2a4fd9bbee77afdd3ed5a05a0c02b6cde8d3b9 https://git.kernel.org/stable/c/59b49ca67cca7b007a5afd3de0283c8008157665 https://git.kernel.org/stable/c/77e47f89d32c2d72eb33d0becbce7abe14d061f4 https://git.kernel.org/stable/c/cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471