cve-2024-26982
Vulnerability from cvelistv5
Published
2024-05-01 05:27
Modified
2024-12-19 08:51
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip@squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.866Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26982",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:45:06.926436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:42.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/squashfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "be383effaee3d89034f0828038f95065b518772e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7def00ebc9f2d6a581ddf46ce4541f84a10680e5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9253c54e01b6505d348afbc02abaa4d9f8a01395",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/squashfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n   and fill a metadata index.  It however suffers a data read error\n   and aborts, invalidating the newly returned empty metadata index.\n   It does this by setting the inode number of the index to zero,\n   which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n   read operation, locate_meta_index() returns the previous index\n   because it matches the inode number of 0.  Because this index\n   has been returned it is expected to have been filled, and because\n   it hasn\u0027t been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:51:41.635Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"
        }
      ],
      "title": "Squashfs: check the inode number is not the invalid value of zero",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26982",
    "datePublished": "2024-05-01T05:27:11.032Z",
    "dateReserved": "2024-02-19T14:20:24.204Z",
    "dateUpdated": "2024-12-19T08:51:41.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26982\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T06:15:15.610\",\"lastModified\":\"2024-11-21T09:03:32.917\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSquashfs: check the inode number is not the invalid value of zero\\n\\nSyskiller has produced an out of bounds access in fill_meta_index().\\n\\nThat out of bounds access is ultimately caused because the inode\\nhas an inode number with the invalid value of zero, which was not checked.\\n\\nThe reason this causes the out of bounds access is due to following\\nsequence of events:\\n\\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\\n   and fill a metadata index.  It however suffers a data read error\\n   and aborts, invalidating the newly returned empty metadata index.\\n   It does this by setting the inode number of the index to zero,\\n   which means unused (zero is not a valid inode number).\\n\\n2. When fill_meta_index() is subsequently called again on another\\n   read operation, locate_meta_index() returns the previous index\\n   because it matches the inode number of 0.  Because this index\\n   has been returned it is expected to have been filled, and because\\n   it hasn\u0027t been, an out of bounds access is performed.\\n\\nThis patch adds a sanity check which checks that the inode number\\nis not zero when the inode is created and returns -EINVAL if it is.\\n\\n[phillip@squashfs.org.uk: whitespace fix]\\n  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: Squashfs: comprobar que el n\u00famero de inodo no sea el valor no v\u00e1lido de cero. Syskiller ha producido un acceso fuera de los l\u00edmites en fill_meta_index(). Ese acceso fuera de los l\u00edmites se debe en \u00faltima instancia a que el inodo tiene un n\u00famero de inodo con un valor no v\u00e1lido de cero, que no se verific\u00f3. La raz\u00f3n por la que esto causa el acceso fuera de los l\u00edmites se debe a la siguiente secuencia de eventos: 1. Se llama a Fill_meta_index() para asignar (a trav\u00e9s de vac\u00edo_meta_index()) y completar un \u00edndice de metadatos. Sin embargo, sufre un error de lectura de datos y se cancela, invalidando el \u00edndice de metadatos vac\u00edo reci\u00e9n devuelto. Para ello, establece el n\u00famero de inodo del \u00edndice en cero, lo que significa que no se utiliza (cero no es un n\u00famero de inodo v\u00e1lido). 2. Cuando posteriormente se vuelve a llamar a fill_meta_index() en otra operaci\u00f3n de lectura, localizar_meta_index() devuelve el \u00edndice anterior porque coincide con el n\u00famero de inodo de 0. Debido a que este \u00edndice ha sido devuelto, se espera que se haya completado, y porque no lo ha hecho. Si no lo ha sido, se realiza un acceso fuera de los l\u00edmites. Este parche agrega una verificaci\u00f3n de cordura que verifica que el n\u00famero de inodo no sea cero cuando se crea el inodo y devuelve -EINVAL si lo es. [phillip@squashfs.org.uk: correcci\u00f3n de espacios en blanco] Enlace: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.