cve/published/2024/CVE-2024-36027.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36027: btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer

 Btrfs clears the content of an extent buffer marked as
 EXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is
 introduced to prevent a write hole of an extent buffer, which is once
 allocated, marked dirty, but turns out unnecessary and cleaned up within
 one transaction operation.

 Currently, btrfs_clear_buffer_dirty() marks the extent buffer as
 EXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call
 happens while the buffer is under IO (with the WRITEBACK flag set,
 without the DIRTY flag), we can add the ZEROOUT flag and clear the
 buffer's content just before a bio submission. As a result:

 1) it can lead to adding faulty delayed reference item which leads to a
    FS corrupted (EUCLEAN) error, and

 2) it writes out cleared tree node on disk

 The former issue is previously discussed in [1]. The corruption happens
 when it runs a delayed reference update. So, on-disk data is safe.

 [1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/

 The latter one can reach on-disk data. But, as that node is already
 processed by btrfs_clear_buffer_dirty(), that will be invalidated in the
 next transaction commit anyway. So, the chance of hitting the corruption
 is relatively small.

 Anyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to
 keep the content under IO intact.

 The Linux kernel CVE team has assigned CVE-2024-36027 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit aa6313e6ff2bfbf736a2739047bba355d8241584 and fixed in 6.8.8 with commit f4b994fccbb6f294c4b31a6ca0114b09f7245043
 	Issue introduced in 6.8 with commit aa6313e6ff2bfbf736a2739047bba355d8241584 and fixed in 6.9 with commit 68879386180c0efd5a11e800b0525a01068c9457

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36027
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/extent_io.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043
 	https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36027: btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer

	Btrfs clears the content of an extent buffer marked as
	EXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is
	introduced to prevent a write hole of an extent buffer, which is once
	allocated, marked dirty, but turns out unnecessary and cleaned up within
	one transaction operation.

	Currently, btrfs_clear_buffer_dirty() marks the extent buffer as
	EXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call
	happens while the buffer is under IO (with the WRITEBACK flag set,
	without the DIRTY flag), we can add the ZEROOUT flag and clear the
	buffer's content just before a bio submission. As a result:

	1) it can lead to adding faulty delayed reference item which leads to a
	FS corrupted (EUCLEAN) error, and

	2) it writes out cleared tree node on disk

	The former issue is previously discussed in [1]. The corruption happens
	when it runs a delayed reference update. So, on-disk data is safe.

	[1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/

	The latter one can reach on-disk data. But, as that node is already
	processed by btrfs_clear_buffer_dirty(), that will be invalidated in the
	next transaction commit anyway. So, the chance of hitting the corruption
	is relatively small.

	Anyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to
	keep the content under IO intact.

	The Linux kernel CVE team has assigned CVE-2024-36027 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit aa6313e6ff2bfbf736a2739047bba355d8241584 and fixed in 6.8.8 with commit f4b994fccbb6f294c4b31a6ca0114b09f7245043
	Issue introduced in 6.8 with commit aa6313e6ff2bfbf736a2739047bba355d8241584 and fixed in 6.9 with commit 68879386180c0efd5a11e800b0525a01068c9457

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36027
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/extent_io.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043
	https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457