DEBIAN-CVE-2023-52900

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix general protection fault in nilfsbtreeinsert() If nilfs2 reads a corrupted disk image and tries to reads a b-tree node block by calling _nilfsbtreegetblock() against an invalid virtual block address, it returns -ENOENT because conversion of the virtual block address to a disk block address fails. However, this return value is the same as the internal code that b-tree lookup routines return to indicate that the block being searched does not exist, so functions that operate on that b-tree may misbehave. When nilfsbtreeinsert() receives this spurious 'not found' code from nilfsbtreedolookup(), it misunderstands that the 'not found' check was successful and continues the insert operation using incomplete lookup path data, causing the following crash: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... RIP: 0010:nilfsbtreegetnonrootnode fs/nilfs2/btree.c:418 [inline] RIP: 0010:nilfsbtreeprepareinsert fs/nilfs2/btree.c:1077 [inline] RIP: 0010:nilfsbtreeinsert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 ... Call Trace: <TASK> nilfsbmapdoinsert fs/nilfs2/bmap.c:121 [inline] nilfsbmapinsert+0x20d/0x360 fs/nilfs2/bmap.c:147 nilfsgetblock+0x414/0x8d0 fs/nilfs2/inode.c:101 _blockwritebeginint+0x54c/0x1a80 fs/buffer.c:1991 _blockwritebegin fs/buffer.c:2041 [inline] blockwritebegin+0x93/0x1e0 fs/buffer.c:2102 nilfswritebegin+0x9c/0x110 fs/nilfs2/inode.c:261 genericperformwrite+0x2e4/0x5e0 mm/filemap.c:3772 _genericfilewriteiter+0x176/0x400 mm/filemap.c:3900 genericfilewriteiter+0xab/0x310 mm/filemap.c:3932 callwriteiter include/linux/fs.h:2186 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x7dc/0xc50 fs/readwrite.c:584 ksyswrite+0x177/0x2a0 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd ... </TASK> This patch fixes the root cause of this problem by replacing the error code that _nilfsbtreegetblock() returns on block address conversion failure from -ENOENT to another internal code -EINVAL which means that the b-tree metadata is corrupted. By returning -EINVAL, it propagates without glitches, and for all relevant b-tree operations, functions in the upper bmap layer output an error message indicating corrupted b-tree metadata via nilfsbmapconvert_error(), and code -EIO will be eventually returned as it should be.