CVE-2024-57923
Published: 01/19/2025 12:15:26
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zlib: fix avail_in bytes for s390 zlib HW compression path
Since the input data length passed to zlib_compress_folios() can be
arbitrary, always setting strm.avail_in to a multiple of PAGE_SIZE may
cause read-in bytes to exceed the input range. Currently this triggers
an assert in btrfs_compress_folios() on the debug kernel (see below).
Fix strm.avail_in calculation for S390 hardware acceleration path.
assertion failed: *total_in <= orig_len, in fs/btrfs/compression.c:1041
------------[ cut here ]------------
kernel BUG at fs/btrfs/compression.c:1041!
monitor event: 0040 ilc:2 [#1] PREEMPT SMP
CPU: 16 UID: 0 PID: 325 Comm: kworker/u273:3 Not tainted 6.13.0-20241204.rc1.git6.fae3b21430ca.300.fc41.s390x+debug #1
Hardware name: IBM 3931 A01 703 (z/VM 7.4.0)
Workqueue: btrfs-delalloc btrfs_work_helper
Krnl PSW : 0704d00180000000 0000021761df6538 (btrfs_compress_folios+0x198/0x1a0)
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3
Krnl GPRS: 0000000080000000 0000000000000001 0000000000000047 0000000000000000
0000000000000006 ffffff01757bb000 000001976232fcc0 000000000000130c
000001976232fcd0 000001976232fcc8 00000118ff4a0e30 0000000000000001
00000111821ab400 0000011100000000 0000021761df6534 000001976232fb58
Krnl Code: 0000021761df6528: c020006f5ef4 larl %r2,0000021762be2310
0000021761df652e: c0e5ffbd09d5 brasl %r14,00000217615978d8
#0000021761df6534: af000000 mc 0,0
>0000021761df6538: 0707 bcr 0,%r7
0000021761df653a: 0707 bcr 0,%r7
0000021761df653c: 0707 bcr 0,%r7
0000021761df653e: 0707 bcr 0,%r7
0000021761df6540: c004004bb7ec brcl 0,000002176276d518
Call Trace:
[<0000021761df6538>] btrfs_compress_folios+0x198/0x1a0
([<0000021761df6534>] btrfs_compress_folios+0x194/0x1a0)
[<0000021761d97788>] compress_file_range+0x3b8/0x6d0
[<0000021761dcee7c>] btrfs_work_helper+0x10c/0x160
[<0000021761645760>] process_one_work+0x2b0/0x5d0
[<000002176164637e>] worker_thread+0x20e/0x3e0
[<000002176165221a>] kthread+0x15a/0x170
[<00000217615b859c>] __ret_from_fork+0x3c/0x60
[<00000217626e72d2>] ret_from_fork+0xa/0x38
INFO: lockdep is turned off.
Last Breaking-Event-Address:
[<0000021761597924>] _printk+0x4c/0x58
Kernel panic - not syncing: Fatal exception: panic_on_oops
Unknown
CVSS v2:
CVSS v2:
Status
| DocFilters Release | Package | State | Justification | Comment |
|---|---|---|---|---|
| 25.1 | zlib (1.3) | Needs Triage | ||
| 24.4 | zlib (1.3) | Needs Triage | ||
| 24.4.0 | zlib (1.3) | Needs Triage | ||
| 24.3 | zlib (1.3) | Needs Triage | ||
| 24.2.1 | zlib (1.3) | Needs Triage | ||
| 24.2 | zlib (1.3) | Needs Triage | ||
| 24.1 | zlib (1.3) | Needs Triage | ||
| 23.3 | zlib (1.3) | Needs Triage | ||
| 23.2.1 | zlib (1.2.12) | Needs Triage | ||
| 23.2 | zlib (1.2.12) | Needs Triage | ||
| 23.1 | zlib (1.2.12) | Needs Triage | ||
| 22.4 | zlib (1.2.12) | Needs Triage | ||
| 22.3 | zlib (1.2.12) | Needs Triage | ||
| 22.2 | zlib (1.2.12) | Needs Triage | ||
| 22.1 | zlib (1.2.11) | Needs Triage | ||
| 21.11.1 | zlib (1.2.11) | Needs Triage | ||
| 21.11 | zlib (1.2.11) | Needs Triage | ||
| 21.8.1 | zlib (1.2.11) | Needs Triage | ||
| 21.8 | zlib (1.2.11) | Needs Triage | ||
| 21.5.1 | zlib (1.2.11) | Needs Triage | ||
| 21.5.0 | zlib (1.2.11) | Needs Triage | ||
| 21.2.0 | zlib (1.2.11) | Needs Triage | ||
| 11.4.20 | zlib (1.2.11) | Needs Triage | ||
| 11.4.19.3667 | zlib (1.2.11) | Needs Triage | ||
| 11.4.18.3599 | zlib (1.2.11) | Needs Triage | ||
| 11.4.17 | zlib (1.2.11) | Needs Triage | ||
| 11.4.16.3445 | zlib (1.2.11) | Needs Triage | ||
| 11.4.15.3368 | zlib (1.2.11) | Needs Triage | ||
| 11.4.14.3263 | zlib (1.2.11) | Needs Triage | ||
| 11.4.13.3179 | zlib (1.2.11) | Needs Triage | ||
| 11.4.12.3054 | zlib (1.2.11) | Needs Triage | ||
| 11.4.11.3040 | zlib (1.2.11) | Needs Triage | ||
| 11.4.11.2990 | zlib (1.2.11) | Needs Triage | ||
| 11.4.10.2934 | zlib (1.2.11) | Needs Triage | ||
| 11.4.9.2878 | zlib (1.2.11) | Needs Triage | ||
| 11.4.8.2822 | zlib (1.2.11) | Needs Triage |