cve/published/2021/CVE-2021-47145.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47145: btrfs: do not BUG_ON in link_to_fixup_dir

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: do not BUG_ON in link_to_fixup_dir

 While doing error injection testing I got the following panic

   kernel BUG at fs/btrfs/tree-log.c:1862!
   invalid opcode: 0000 [#1] SMP NOPTI
   CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
   RIP: 0010:link_to_fixup_dir+0xd5/0xe0
   RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216
   RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0
   RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000
   RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001
   R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800
   R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065
   FS:  00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0
   Call Trace:
    replay_one_buffer+0x409/0x470
    ? btree_read_extent_buffer_pages+0xd0/0x110
    walk_up_log_tree+0x157/0x1e0
    walk_log_tree+0xa6/0x1d0
    btrfs_recover_log_trees+0x1da/0x360
    ? replay_one_extent+0x7b0/0x7b0
    open_ctree+0x1486/0x1720
    btrfs_mount_root.cold+0x12/0xea
    ? __kmalloc_track_caller+0x12f/0x240
    legacy_get_tree+0x24/0x40
    vfs_get_tree+0x22/0xb0
    vfs_kern_mount.part.0+0x71/0xb0
    btrfs_mount+0x10d/0x380
    ? vfs_parse_fs_string+0x4d/0x90
    legacy_get_tree+0x24/0x40
    vfs_get_tree+0x22/0xb0
    path_mount+0x433/0xa10
    __x64_sys_mount+0xe3/0x120
    do_syscall_64+0x3d/0x80
    entry_SYSCALL_64_after_hwframe+0x44/0xae

 We can get -EIO or any number of legitimate errors from
 btrfs_search_slot(), panicing here is not the appropriate response.  The
 error path for this code handles errors properly, simply return the
 error.

 The Linux kernel CVE team has assigned CVE-2021-47145 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.4.271 with commit 76bfd8ac20bebeae599452a03dfc5724c0475dcf
 	Fixed in 4.9.271 with commit e934c4ee17b33bafb0444f2f9766cda7166d3c40
 	Fixed in 4.14.235 with commit 0eaf383c6a4a83c09f60fd07a1bea9f1a9181611
 	Fixed in 4.19.193 with commit 6eccfb28f8dca70c9b1b3bb3194ca54cbe73a9fa
 	Fixed in 5.4.124 with commit 0ed102453aa1cd12fefde8f6b60b9519b0b1f003
 	Fixed in 5.10.42 with commit 7e13db503918820e6333811cdc6f151dcea5090a
 	Fixed in 5.12.9 with commit b545442133580dcb2f2496133bf850824d41255c
 	Fixed in 5.13 with commit 91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47145
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/tree-log.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/76bfd8ac20bebeae599452a03dfc5724c0475dcf
 	https://git.kernel.org/stable/c/e934c4ee17b33bafb0444f2f9766cda7166d3c40
 	https://git.kernel.org/stable/c/0eaf383c6a4a83c09f60fd07a1bea9f1a9181611
 	https://git.kernel.org/stable/c/6eccfb28f8dca70c9b1b3bb3194ca54cbe73a9fa
 	https://git.kernel.org/stable/c/0ed102453aa1cd12fefde8f6b60b9519b0b1f003
 	https://git.kernel.org/stable/c/7e13db503918820e6333811cdc6f151dcea5090a
 	https://git.kernel.org/stable/c/b545442133580dcb2f2496133bf850824d41255c
 	https://git.kernel.org/stable/c/91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47145: btrfs: do not BUG_ON in link_to_fixup_dir

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: do not BUG_ON in link_to_fixup_dir

	While doing error injection testing I got the following panic

	kernel BUG at fs/btrfs/tree-log.c:1862!
	invalid opcode: 0000 [#1] SMP NOPTI
	CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
	RIP: 0010:link_to_fixup_dir+0xd5/0xe0
	RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216
	RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0
	RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000
	RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001
	R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800
	R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065
	FS: 00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0
	Call Trace:
	replay_one_buffer+0x409/0x470
	? btree_read_extent_buffer_pages+0xd0/0x110
	walk_up_log_tree+0x157/0x1e0
	walk_log_tree+0xa6/0x1d0
	btrfs_recover_log_trees+0x1da/0x360
	? replay_one_extent+0x7b0/0x7b0
	open_ctree+0x1486/0x1720
	btrfs_mount_root.cold+0x12/0xea
	? __kmalloc_track_caller+0x12f/0x240
	legacy_get_tree+0x24/0x40
	vfs_get_tree+0x22/0xb0
	vfs_kern_mount.part.0+0x71/0xb0
	btrfs_mount+0x10d/0x380
	? vfs_parse_fs_string+0x4d/0x90
	legacy_get_tree+0x24/0x40
	vfs_get_tree+0x22/0xb0
	path_mount+0x433/0xa10
	__x64_sys_mount+0xe3/0x120
	do_syscall_64+0x3d/0x80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	We can get -EIO or any number of legitimate errors from
	btrfs_search_slot(), panicing here is not the appropriate response. The
	error path for this code handles errors properly, simply return the
	error.

	The Linux kernel CVE team has assigned CVE-2021-47145 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.4.271 with commit 76bfd8ac20bebeae599452a03dfc5724c0475dcf
	Fixed in 4.9.271 with commit e934c4ee17b33bafb0444f2f9766cda7166d3c40
	Fixed in 4.14.235 with commit 0eaf383c6a4a83c09f60fd07a1bea9f1a9181611
	Fixed in 4.19.193 with commit 6eccfb28f8dca70c9b1b3bb3194ca54cbe73a9fa
	Fixed in 5.4.124 with commit 0ed102453aa1cd12fefde8f6b60b9519b0b1f003
	Fixed in 5.10.42 with commit 7e13db503918820e6333811cdc6f151dcea5090a
	Fixed in 5.12.9 with commit b545442133580dcb2f2496133bf850824d41255c
	Fixed in 5.13 with commit 91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47145
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/tree-log.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/76bfd8ac20bebeae599452a03dfc5724c0475dcf
	https://git.kernel.org/stable/c/e934c4ee17b33bafb0444f2f9766cda7166d3c40
	https://git.kernel.org/stable/c/0eaf383c6a4a83c09f60fd07a1bea9f1a9181611
	https://git.kernel.org/stable/c/6eccfb28f8dca70c9b1b3bb3194ca54cbe73a9fa
	https://git.kernel.org/stable/c/0ed102453aa1cd12fefde8f6b60b9519b0b1f003
	https://git.kernel.org/stable/c/7e13db503918820e6333811cdc6f151dcea5090a
	https://git.kernel.org/stable/c/b545442133580dcb2f2496133bf850824d41255c
	https://git.kernel.org/stable/c/91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d