ghsa-5mc8-q53p-h4pr
Vulnerability from github
Published
2024-11-05 18:32
Modified
2024-11-08 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reject ro->rw reconfiguration if there are hard ro requirements

[BUG] Syzbot reports the following crash:

BTRFS info (device loop0 state MCS): disabling free space tree BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1) BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2) Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline] RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041 Call Trace: btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530 btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312 btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012 btrfs_remount_rw fs/btrfs/super.c:1309 [inline] btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534 btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline] btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline] btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115 vfs_get_tree+0x90/0x2b0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

[CAUSE] To support mounting different subvolume with different RO/RW flags for the new mount APIs, btrfs introduced two workaround to support this feature:

  • Skip mount option/feature checks if we are mounting a different subvolume

  • Reconfigure the fs to RW if the initial mount is RO

Combining these two, we can have the following sequence:

  • Mount the fs ro,rescue=all,clear_cache,space_cache=v1 rescue=all will mark the fs as hard read-only, so no v2 cache clearing will happen.

  • Mount a subvolume rw of the same fs. We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY because our new fc is RW, different from the original fs.

Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag first so that we can grab the existing fs_info. Then we reconfigure the fs to RW.

  • During reconfiguration, option/features check is skipped This means we will restart the v2 cache clearing, and convert back to v1 cache. This will trigger fs writes, and since the original fs has "rescue=all" option, it skips the csum tree read.

And eventually causing NULL pointer dereference in super block writeback.

[FIX] For reconfiguration caused by different subvolume RO/RW flags, ensure we always run btrfs_check_options() to ensure we have proper hard RO requirements met.

In fact the function btrfs_check_options() doesn't really do many complex checks, but hard RO requirement and some feature dependency checks, thus there is no special reason not to do the check for mount reconfiguration.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-50118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T18:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject ro-\u003erw reconfiguration if there are hard ro requirements\n\n[BUG]\nSyzbot reports the following crash:\n\n  BTRFS info (device loop0 state MCS): disabling free space tree\n  BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)\n  BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n  RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]\n  RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530\n   btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312\n   btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012\n   btrfs_remount_rw fs/btrfs/super.c:1309 [inline]\n   btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534\n   btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]\n   btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]\n   btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115\n   vfs_get_tree+0x90/0x2b0 fs/super.c:1800\n   do_new_mount+0x2be/0xb40 fs/namespace.c:3472\n   do_mount fs/namespace.c:3812 [inline]\n   __do_sys_mount fs/namespace.c:4020 [inline]\n   __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nTo support mounting different subvolume with different RO/RW flags for\nthe new mount APIs, btrfs introduced two workaround to support this feature:\n\n- Skip mount option/feature checks if we are mounting a different\n  subvolume\n\n- Reconfigure the fs to RW if the initial mount is RO\n\nCombining these two, we can have the following sequence:\n\n- Mount the fs ro,rescue=all,clear_cache,space_cache=v1\n  rescue=all will mark the fs as hard read-only, so no v2 cache clearing\n  will happen.\n\n- Mount a subvolume rw of the same fs.\n  We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY\n  because our new fc is RW, different from the original fs.\n\n  Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag\n  first so that we can grab the existing fs_info.\n  Then we reconfigure the fs to RW.\n\n- During reconfiguration, option/features check is skipped\n  This means we will restart the v2 cache clearing, and convert back to\n  v1 cache.\n  This will trigger fs writes, and since the original fs has \"rescue=all\"\n  option, it skips the csum tree read.\n\n  And eventually causing NULL pointer dereference in super block\n  writeback.\n\n[FIX]\nFor reconfiguration caused by different subvolume RO/RW flags, ensure we\nalways run btrfs_check_options() to ensure we have proper hard RO\nrequirements met.\n\nIn fact the function btrfs_check_options() doesn\u0027t really do many\ncomplex checks, but hard RO requirement and some feature dependency\nchecks, thus there is no special reason not to do the check for mount\nreconfiguration.",
  "id": "GHSA-5mc8-q53p-h4pr",
  "modified": "2024-11-08T18:30:48Z",
  "published": "2024-11-05T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50118"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.