Updated: 2026-02-19
CWE: CWE-476
Description:
In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix invalid derefence of sb_lvbptr I experience issues when putting a lkbsb on the stack and have sb_lvbptr field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash with the following kernel message, the dangled pointer is here 0xdeadbeef as example: [ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef [ 102.749320] #PF: supervisor read access in kernel mode [ 102.749323] #PF: error_code(0x0000) - not-present page [ 102.749325] PGD 0 P4D 0 [ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI [ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565 [ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014 [ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10 [ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202 [ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040 [ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070 [ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001 [ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70 [ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001 [ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000 [ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0 [ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 102.749379] PKRU: 55555554 [ 102.749381] Call Trace: [ 102.749382] <TASK> [ 102.749383] ? send_args+0xb2/0xd0 [ 102.749389] send_common+0xb7/0xd0 [ 102.749395] _unlock_lock+0x2c/0x90 [ 102.749400] unlock_lock.isra.56+0x62/0xa0 [ 102.749405] dlm_unlock+0x21e/0x330 [ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] [ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture] [ 102.749419] ? preempt_count_sub+0xba/0x100 [ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture] [ 102.786186] kthread+0x10a/0x130 [ 102.786581] ? kthread_complete_and_exit+0x20/0x20 [ 102.787156] ret_from_fork+0x22/0x30 [ 102.787588] </TASK> [ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw [ 102.792536] CR2: 00000000deadbeef [ 102.792930] ---[ end trace 0000000000000000 ]--- This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags is set when copying the lvbptr array instead of if it's just null which fixes for me the issue. I think this patch can fix other dlm users as well, depending how they handle the init, freeing memory handling of sb_lvbptr and don't set DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a hidden issue all the time. However with checking on DLM_LKF_VALBLK the user always need to provide a sb_lvbptr non-null value. There might be more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and non-null to report the user the way how DLM API is used is wrong but can be added for later, this will only fix the current behaviour.
CVSS3: 5.5
| OS | Vendor version | Errata |
|---|---|---|
| Amazon Linux 2 | 4.14.355-280.708.amzn2 | ALAS2-2025-3075 |
| OS | Original kernel version | State |
|---|---|---|
| Amazon Linux 2 |
4.14.152-127.182.amzn2
show all
hide all
4.14.154-128.181.amzn2
4.14.165-131.185.amzn2
4.14.146-120.181.amzn2
4.14.152-124.171.amzn2
4.14.171-136.231.amzn2
4.14.158-129.185.amzn2
4.14.165-133.209.amzn2
4.14.173-137.228.amzn2
4.14.177-139.254.amzn2
4.14.173-137.229.amzn2
4.14.177-139.253.amzn2
4.14.181-140.257.amzn2
4.14.186-146.268.amzn2
4.14.181-142.260.amzn2
4.14.192-147.314.amzn2
4.14.193-149.317.amzn2
4.14.198-152.320.amzn2
4.14.200-155.322.amzn2
4.14.203-156.332.amzn2
4.14.209-160.335.amzn2
4.14.214-160.339.amzn2
4.14.209-160.339.amzn2
4.14.219-161.340.amzn2
4.14.225-168.357.amzn2
4.14.231-173.360.amzn2
4.14.219-164.354.amzn2
4.14.225-169.362.amzn2
4.14.232-176.381.amzn2
4.14.232-177.418.amzn2
4.14.238-182.421.amzn2
4.14.238-182.422.amzn2
4.14.231-173.361.amzn2
4.14.241-184.433.amzn2
4.14.243-185.433.amzn2
4.14.246-187.474.amzn2
4.14.248-189.473.amzn2
4.14.252-195.481.amzn2
4.14.252-195.483.amzn2
4.14.256-197.484.amzn2
4.14.262-200.489.amzn2
4.14.268-205.500.amzn2
4.14.273-207.502.amzn2
4.14.275-207.503.amzn2
4.14.276-211.499.amzn2
4.14.281-212.502.amzn2
4.14.285-215.501.amzn2
4.14.287-215.504.amzn2
4.14.290-217.505.amzn2
4.14.291-218.527.amzn2
4.14.294-220.533.amzn2
4.14.296-222.539.amzn2
4.14.299-223.520.amzn2
4.14.301-224.520.amzn2
4.14.304-226.531.amzn2
4.14.301-225.528.amzn2
4.14.309-231.529.amzn2
4.14.305-227.531.amzn2
4.14.313-235.533.amzn2
4.14.314-237.533.amzn2
4.14.314-238.539.amzn2
4.14.318-240.529.amzn2
4.14.318-241.531.amzn2
4.14.320-242.534.amzn2
4.14.320-243.544.amzn2
4.14.322-244.536.amzn2
4.14.311-233.529.amzn2
4.14.322-244.539.amzn2
4.14.326-245.539.amzn2
4.14.327-246.539.amzn2
4.14.328-248.540.amzn2
4.14.322-246.539.amzn2
4.14.330-250.540.amzn2
4.14.334-252.552.amzn2
4.14.336-253.554.amzn2
4.14.336-255.557.amzn2
4.14.336-256.559.amzn2
4.14.336-257.562.amzn2
4.14.336-256.557.amzn2
4.14.336-257.568.amzn2
4.14.336-257.566.amzn2
4.14.343-261.564.amzn2
4.14.343-259.562.amzn2
4.14.343-260.564.amzn2
4.14.348-265.562.amzn2
4.14.344-262.563.amzn2
4.14.345-262.561.amzn2
4.14.348-265.565.amzn2
4.14.349-266.564.amzn2
4.14.350-266.564.amzn2
4.14.352-268.568.amzn2
4.14.352-267.564.amzn2
4.14.353-270.569.amzn2
4.14.352-268.569.amzn2
4.14.355-271.569.amzn2
4.14.355-275.582.amzn2
4.14.355-275.570.amzn2
4.14.355-275.572.amzn2
4.14.355-275.591.amzn2
4.14.355-274.598.amzn2
4.14.355-275.603.amzn2
4.14.355-276.618.amzn2
4.14.355-276.639.amzn2
4.14.355-277.643.amzn2
4.14.355-277.647.amzn2
4.14.355-280.652.amzn2
4.14.355-280.664.amzn2
4.14.355-280.651.amzn2
4.14.355-280.672.amzn2
4.14.355-280.679.amzn2
4.14.355-280.684.amzn2
4.14.355-280.695.amzn2
4.14.355-280.698.amzn2
4.14.355-280.706.amzn2
|
Released |