CVE-2024-44939

[syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfsdtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpyto_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time.

[Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/44xxx/CVE-2024-44939.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Fixed

f98bf80b20f4a930589cda48a35f751a64fe0dc2

Fixed

53023ab11836ac56fd75f7a71ec1356e50920fa9

Fixed

6ea10dbb1e6c58384136e9adfd75f81951e423f6

Fixed

9c2ac38530d1a3ee558834dfa16c85a40fd0e702

Fixed

ce6dede912f064a855acf6f04a04cbb2c25b8c8c

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-44939.json"