cve/published/2024/CVE-2024-50118.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50118: btrfs: reject ro->rw reconfiguration if there are hard ro requirements

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: reject ro->rw reconfiguration if there are hard ro requirements

 [BUG]
 Syzbot reports the following crash:

   BTRFS info (device loop0 state MCS): disabling free space tree
   BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)
   BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)
   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
   KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
   RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]
   RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041
   Call Trace:
    <TASK>
    btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530
    btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312
    btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012
    btrfs_remount_rw fs/btrfs/super.c:1309 [inline]
    btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534
    btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]
    btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]
    btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115
    vfs_get_tree+0x90/0x2b0 fs/super.c:1800
    do_new_mount+0x2be/0xb40 fs/namespace.c:3472
    do_mount fs/namespace.c:3812 [inline]
    __do_sys_mount fs/namespace.c:4020 [inline]
    __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

 [CAUSE]
 To support mounting different subvolume with different RO/RW flags for
 the new mount APIs, btrfs introduced two workaround to support this feature:

 - Skip mount option/feature checks if we are mounting a different
   subvolume

 - Reconfigure the fs to RW if the initial mount is RO

 Combining these two, we can have the following sequence:

 - Mount the fs ro,rescue=all,clear_cache,space_cache=v1
   rescue=all will mark the fs as hard read-only, so no v2 cache clearing
   will happen.

 - Mount a subvolume rw of the same fs.
   We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY
   because our new fc is RW, different from the original fs.

   Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag
   first so that we can grab the existing fs_info.
   Then we reconfigure the fs to RW.

 - During reconfiguration, option/features check is skipped
   This means we will restart the v2 cache clearing, and convert back to
   v1 cache.
   This will trigger fs writes, and since the original fs has "rescue=all"
   option, it skips the csum tree read.

   And eventually causing NULL pointer dereference in super block
   writeback.

 [FIX]
 For reconfiguration caused by different subvolume RO/RW flags, ensure we
 always run btrfs_check_options() to ensure we have proper hard RO
 requirements met.

 In fact the function btrfs_check_options() doesn't really do many
 complex checks, but hard RO requirement and some feature dependency
 checks, thus there is no special reason not to do the check for mount
 reconfiguration.

 The Linux kernel CVE team has assigned CVE-2024-50118 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit f044b318675f0347ecfb88377542651ba4eb9e1f and fixed in 6.11.6 with commit 23724398b55d9570f6ae79dd2ea026fff8896bf1
 	Issue introduced in 6.8 with commit f044b318675f0347ecfb88377542651ba4eb9e1f and fixed in 6.12 with commit 3c36a72c1d27de6618c1c480c793d9924640f5bb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50118
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/super.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1
 	https://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50118: btrfs: reject ro->rw reconfiguration if there are hard ro requirements

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: reject ro->rw reconfiguration if there are hard ro requirements

	[BUG]
	Syzbot reports the following crash:

	BTRFS info (device loop0 state MCS): disabling free space tree
	BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)
	BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)
	Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
	KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
	RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]
	RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041
	Call Trace:
	<TASK>
	btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530
	btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312
	btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012
	btrfs_remount_rw fs/btrfs/super.c:1309 [inline]
	btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534
	btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]
	btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]
	btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115
	vfs_get_tree+0x90/0x2b0 fs/super.c:1800
	do_new_mount+0x2be/0xb40 fs/namespace.c:3472
	do_mount fs/namespace.c:3812 [inline]
	__do_sys_mount fs/namespace.c:4020 [inline]
	__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	[CAUSE]
	To support mounting different subvolume with different RO/RW flags for
	the new mount APIs, btrfs introduced two workaround to support this feature:

	- Skip mount option/feature checks if we are mounting a different
	subvolume

	- Reconfigure the fs to RW if the initial mount is RO

	Combining these two, we can have the following sequence:

	- Mount the fs ro,rescue=all,clear_cache,space_cache=v1
	rescue=all will mark the fs as hard read-only, so no v2 cache clearing
	will happen.

	- Mount a subvolume rw of the same fs.
	We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY
	because our new fc is RW, different from the original fs.

	Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag
	first so that we can grab the existing fs_info.
	Then we reconfigure the fs to RW.

	- During reconfiguration, option/features check is skipped
	This means we will restart the v2 cache clearing, and convert back to
	v1 cache.
	This will trigger fs writes, and since the original fs has "rescue=all"
	option, it skips the csum tree read.

	And eventually causing NULL pointer dereference in super block
	writeback.

	[FIX]
	For reconfiguration caused by different subvolume RO/RW flags, ensure we
	always run btrfs_check_options() to ensure we have proper hard RO
	requirements met.

	In fact the function btrfs_check_options() doesn't really do many
	complex checks, but hard RO requirement and some feature dependency
	checks, thus there is no special reason not to do the check for mount
	reconfiguration.

	The Linux kernel CVE team has assigned CVE-2024-50118 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit f044b318675f0347ecfb88377542651ba4eb9e1f and fixed in 6.11.6 with commit 23724398b55d9570f6ae79dd2ea026fff8896bf1
	Issue introduced in 6.8 with commit f044b318675f0347ecfb88377542651ba4eb9e1f and fixed in 6.12 with commit 3c36a72c1d27de6618c1c480c793d9924640f5bb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50118
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/super.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1
	https://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb