Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-46989— hfsplus: prevent corruption in shrinking truncate

EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-46989

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
hfsplus: prevent corruption in shrinking truncate
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于如果目录文件中的第一个盘区记录已满,则会从盘区溢出文件中分配新的记录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 31651c607151f1034cfb57e5a78678bea54c362b ~ 52dde855663e5db824af51db39b5757d2ef3e28a -
LinuxLinux 4.19 -

II. Public POCs for CVE-2021-46989

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2021-46989

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-02-28 · 86 CVEs total

CVE-2021-46997arm64: entry: always set GIC_PRIO_PSR_I_SET during entry
CVE-2021-47001xprtrdma: Fix cwnd update ordering
CVE-2021-46998ethernet:enic: Fix a use after free bug in enic_hard_start_xmit
CVE-2021-47000ceph: fix inode leak on getattr error in __fh_to_dentry
CVE-2021-47003dmaengine: idxd: Fix potential null dereference on pointer status
CVE-2021-47005PCI: endpoint: Fix NULL pointer dereference for ->get_features()
CVE-2021-47007f2fs: fix panic during f2fs_resize_fs()
CVE-2021-47006ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook
CVE-2021-47009KEYS: trusted: Fix memory leak on object td
CVE-2021-47004f2fs: fix to avoid touching checkpointed data in get_victim()
CVE-2021-46999sctp: do asoc update earlier in sctp_sf_do_dupcook_a
CVE-2021-46995can: mcp251xfd: mcp251xfd_probe(): fix an error pointer dereference in probe
CVE-2021-46996netfilter: nftables: Fix a memleak from userdata error path in new objects
CVE-2021-46994can: mcp251x: fix resume from sleep before interface was brought up
CVE-2021-46992netfilter: nftables: avoid overflows in nft_hash_buckets()
CVE-2021-46993sched: Fix out-of-bound access in uclamp
CVE-2021-46990powerpc/64s: Fix crashes when toggling entry flush barrier
CVE-2021-46991i40e: Fix use-after-free in i40e_client_subtask()
CVE-2021-46987btrfs: fix deadlock when cloning inline extents and using qgroups
CVE-2021-46988userfaultfd: release page in error path to avoid BUG_ON

Showing top 20 of 86 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2021-46989

No comments yet

Leave a comment