NACK: [SRU][N][PATCH 0/1] CVE-2024-56598
Koichiro Den
koichiro.den at canonical.com
Tue Mar 18 07:09:19 UTC 2025
On Wed, Mar 12, 2025 at 10:45:46AM GMT, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-56598
>
> [ Impact ]
>
> jfs: array-index-out-of-bounds fix in dtReadFirst
>
> The value of stbl can be sometimes out of bounds due
> to a bad filesystem. Added a check with appopriate return
> of error code in that case.
>
> [ Fix ]
>
> Oracular: Fixed via upstream stable updates (LP: #2096827)
> Noble: Clean cherry pick from mainline
> Jammy: Fixed via upstream stable updates (LP: #2095283)
> Focal: Fixed via upstream stable updates (LP: #2095145)
>
> [ Test Plan ]
>
> Compile and boot tested on amd64.
> Stress tested a jfs partition using stress-ng:
>
> $ sudo stress-ng --hdd 2 --dir 2 --fallocate 2 --aggressive --metrics --timeout 5m
> ...
> stress-ng: info: [1288] passed: 5: hdd (2) dir (2) fallocate (1)
> stress-ng: info: [1288] setting to a 5 mins, 0 secs run per stressor
> stress-ng: info: [1288] dispatching hogs: 2 hdd, 2 dir, 2 fallocate
> stress-ng: info: [1288] failed: 0
> stress-ng: info: [1288] metrics untrustworthy: 0
> stress-ng: info: [1288] successful run completed in 5 mins, 0.58 secs
>
> [ Where Problems Could Occur ]
>
> The fix affects the JFS filesystem. An issue with this fix
> may lead to improper handling of directories and files managed by JFS.
> A user might experience problems such as filesystem corruption,
> unexpected kernel crashes, or failures when accessing or modifying
> files on a JFS partition.
>
This commit was included in an upstream stable patchset (LP: #2102118),
which was submitted exactly on the same day and applied to master-next:
https://lists.ubuntu.com/archives/kernel-team/2025-March/158006.html
If this had received >=2 ACKs within 1.0 day after your submission, it
would have superseded the application via upstream stable patchset. Sadly
it didn't.
Please let me NACK this for that reason.
More information about the kernel-team
mailing list