1.8 KiB
CVE-2024-56619
Description
In the Linux kernel, the following vulnerability has been resolved:nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()Syzbot reported that when searching for records in a directory where theinode's i_size is corrupted and has a large value, memory access outsidethe folio/page range may occur, or a use-after-free bug may be detected ifKASAN is enabled.This is because nilfs_last_byte(), which is called by nilfs_find_entry()and others to calculate the number of valid bytes of directory data in apage from i_size and the page index, loses the upper 32 bits of the 64-bitsize information due to an inappropriate type of local variable to whichthe i_size value is assigned.This caused a large byte offset value due to underflow in the end addresscalculation in the calling nilfs_find_entry(), resulting in memory accessthat exceeds the folio/page size.Fix this issue by changing the type of the local variable causing the bitloss from "unsigned int" to "u64". The return value of nilfs_last_byte()is also of type "unsigned int", but it is truncated so as not to exceedPAGE_SIZE and no bit loss occurs, so no change is required.
POC
Reference
No PoCs from references.