)]}'
{
  "commit": "f498f0d657742da01b1e3223aa5e8184db67e464",
  "tree": "7d29ae5890d6a0ec823faf78e72840ea94f9e384",
  "parents": [
    "d1bac40b026bdad040c0ab3629be9311eecf1256"
  ],
  "author": {
    "name": "Ming-Hung Tsai",
    "email": "mtsai@redhat.com",
    "time": "Tue Oct 22 15:13:54 2024 +0800"
  },
  "committer": {
    "name": "Anil Altinay",
    "email": "aaltinay@google.com",
    "time": "Fri Dec 06 16:02:57 2024 +0000"
  },
  "message": "dm cache: fix potential out-of-bounds access on the first resume\n\ncommit c0ade5d98979585d4f5a93e4514c2e9a65afa08d upstream.\n\nOut-of-bounds access occurs if the fast device is expanded unexpectedly\nbefore the first-time resume of the cache table. This happens because\nexpanding the fast device requires reloading the cache table for\ncache_create to allocate new in-core data structures that fit the new\nsize, and the check in cache_preresume is not performed during the\nfirst resume, leading to the issue.\n\nReproduce steps:\n\n1. prepare component devices:\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if\u003d/dev/zero of\u003d/dev/mapper/cmeta bs\u003d4k count\u003d1 oflag\u003ddirect\n\n2. load a cache table of 512 cache blocks, and deliberately expand the\n   fast device before resuming the cache, making the in-core data\n   structures inadequate.\n\ndmsetup create cache --notable\ndmsetup reload cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup reload cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup resume cdata\ndmsetup resume cache\n\n3. suspend the cache to write out the in-core dirty bitset and hint\n   array, leading to out-of-bounds access to the dirty bitset at offset\n   0x40:\n\ndmsetup suspend cache\n\nKASAN reports:\n\n  BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80\n  Read of size 8 at addr ffffc90000085040 by task dmsetup/90\n\n  (...snip...)\n  The buggy address belongs to the virtual mapping at\n   [ffffc90000085000, ffffc90000087000) created by:\n   cache_ctr+0x176a/0x35f0\n\n  (...snip...)\n  Memory state around the buggy address:\n   ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n   ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  \u003effffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8\n                                             ^\n   ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n   ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFix by checking the size change on the first resume.\n\nBUG\u003db/381394575\nTEST\u003dNone\nRELEASE_NOTE\u003dFixed CVE-2024-50278 in the linux kernel.\n\ncos-patch: bug\nSigned-off-by: Ming-Hung Tsai \u003cmtsai@redhat.com\u003e\nFixes: f494a9c6b1b6 (\"dm cache: cache shrinking support\")\nCc: stable@vger.kernel.org\nSigned-off-by: Mikulas Patocka \u003cmpatocka@redhat.com\u003e\nAcked-by: Joe Thornber \u003cthornber@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nChange-Id: I31a9be3c434c5855c5132fd671405d8acee164af\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/88081\nReviewed-by: Anil Altinay \u003caaltinay@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "6ff1737fb1e050a51a48f0dfb68f254a48c33223",
      "old_mode": 33188,
      "old_path": "drivers/md/dm-cache-target.c",
      "new_id": "82e6fc3a5016427372eb828fab7fb0b9b55f1e38",
      "new_mode": 33188,
      "new_path": "drivers/md/dm-cache-target.c"
    }
  ]
}