CVE-2024-41013
Vulnerability from cvelistv5
Published
2024-07-29 06:36
Modified
2024-12-27 13:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: xfs: don't walk off the end of a directory data block This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted image, if last entry is xfs_dir2_data_unused, we can change dup->length to dup->length-1 and leave 1 byte of space. In the next traversal, this space will be considered as dup or dep. We may encounter an out of bound read when accessing the fixed members. In the patch, we make sure that the remaining bytes large enough to hold an unused entry before accessing xfs_dir2_data_unused and xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make sure that the remaining bytes large enough to hold a dirent with a single-byte name before accessing xfs_dir2_data_entry.
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:39:56.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41013",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:24:52.783178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:06.070Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/libxfs/xfs_dir2_data.c",
            "fs/xfs/libxfs/xfs_dir2_priv.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca96d83c93071f95cf962ce92406621a472df31b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0c7fcdb6d06cdf8b19b57c17605215b06afa864a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/libxfs/xfs_dir2_data.c",
            "fs/xfs/libxfs/xfs_dir2_priv.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don\u0027t walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don\u0027t stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup-\u003elength to dup-\u003elength-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-27T13:35:37.721Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca96d83c93071f95cf962ce92406621a472df31b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a"
        }
      ],
      "title": "xfs: don\u0027t walk off the end of a directory data block",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41013",
    "datePublished": "2024-07-29T06:36:59.930Z",
    "dateReserved": "2024-07-12T12:17:45.611Z",
    "dateUpdated": "2024-12-27T13:35:37.721Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-41013\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-29T07:15:05.430\",\"lastModified\":\"2024-12-27T14:15:23.343\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: don\u0027t walk off the end of a directory data block\\n\\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\\nto make sure don\u0027t stray beyond valid memory region. Before patching, the\\nloop simply checks that the start offset of the dup and dep is within the\\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\\ncan change dup-\u003elength to dup-\u003elength-1 and leave 1 byte of space. In the\\nnext traversal, this space will be considered as dup or dep. We may\\nencounter an out of bound read when accessing the fixed members.\\n\\nIn the patch, we make sure that the remaining bytes large enough to hold\\nan unused entry before accessing xfs_dir2_data_unused and\\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\\nsure that the remaining bytes large enough to hold a dirent with a\\nsingle-byte name before accessing xfs_dir2_data_entry.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: xfs: no salga del final de un bloque de datos de directorio. Esto agrega controles de sanitizaci\u00f3n para xfs_dir2_data_unused y xfs_dir2_data_entry para asegurarse de que no se desv\u00eden m\u00e1s all\u00e1 de la regi\u00f3n de memoria v\u00e1lida. Antes de parchear, el bucle simplemente verifica que el desplazamiento inicial de dup y dep est\u00e9 dentro del rango. Entonces, en una imagen manipulada, si la \u00faltima entrada es xfs_dir2_data_unused, podemos cambiar dup-\u0026gt;length a dup-\u0026gt;length-1 y dejar 1 byte de espacio. En el pr\u00f3ximo recorrido, este espacio se considerar\u00e1 dup o dep. Es posible que nos encontremos con una lectura fuera de los l\u00edmites al acceder a los miembros fijos. En el parche, nos aseguramos de que los bytes restantes sean lo suficientemente grandes como para contener una entrada no utilizada antes de acceder a xfs_dir2_data_unused y xfs_dir2_data_unused est\u00e9n alineados con los bytes XFS_DIR2_DATA_ALIGN. Tambi\u00e9n nos aseguramos de que los bytes restantes sean lo suficientemente grandes como para contener un directorio con un nombre de un solo byte antes de acceder a xfs_dir2_data_entry.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca96d83c93071f95cf962ce92406621a472df31b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.