CVE-2023-52705

In the Linux kernel, the following vulnerability has been resolved: nilfs2:
fix underflow in second superblock position calculations Macro
NILFS_SB2_OFFSET_BYTES, which computes the position of the second
superblock, underflows when the argument device size is less than 4096
bytes. Therefore, when using this macro, it is necessary to check in
advance that the device size is not less than a lower limit, or at least
that underflow does not occur. The current nilfs2 implementation lacks this
check, causing out-of-bound block access when mounting devices smaller than
4096 bytes: I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ)
flags 0x0 phys_seg 1 prio class 2 NILFS (loop0): unable to read secondary
superblock (blocksize = 1024) In addition, when trying to resize the
filesystem to a size below 4096 bytes, this underflow occurs in
nilfs_resize_fs(), passing a huge number of segments to
nilfs_sufile_resize(), corrupting parameters such as the number of segments
in superblocks. This causes excessive loop iterations in
nilfs_sufile_resize() during a subsequent resize ioctl, causing semaphore
ns_segctor_sem to block for a long time and hang the writer thread: INFO:
task segctord:5067 blocked for more than 143 seconds. Not tainted
6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 “echo 0 >
/proc/sys/kernel/hung_task_timeout_secs” disables this message.
task:segctord state:D stack:23456 pid:5067 ppid:2 flags:0x00004000 Call
Trace: <TASK> context_switch kernel/sched/core.c:5293 [inline]
__schedule+0x1409/0x43f0 kernel/sched/core.c:6606 schedule+0xc3/0x190
kernel/sched/core.c:6682 rwsem_down_write_slowpath+0xfcf/0x14a0
kernel/locking/rwsem.c:1190 nilfs_transaction_lock+0x25c/0x4f0
fs/nilfs2/segment.c:357 nilfs_segctor_thread_construct
fs/nilfs2/segment.c:2486 [inline] nilfs_segctor_thread+0x52f/0x1140
fs/nilfs2/segment.c:2570 kthread+0x270/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> … Call
Trace: <TASK> folio_mark_accessed+0x51c/0xf00 mm/swap.c:515
__nilfs_get_page_block fs/nilfs2/page.c:42 [inline]
nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61
nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121
nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176
nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251
nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]
nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]
nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777
nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 nilfs_ioctl_resize
fs/nilfs2/ioctl.c:1033 [inline] nilfs_ioctl+0x137c/0x2440
fs/nilfs2/ioctl.c:1301 … This fixes these issues by inserting appropriate
minimum device size checks or anti-underflow checks, depending on where the
macro is used.