cve/published/2024/CVE-2024-50273.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50273: btrfs: reinitialize delayed ref list after deleting it from the list

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: reinitialize delayed ref list after deleting it from the list

 At insert_delayed_ref() if we need to update the action of an existing
 ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's
 ref_add_list using list_del(), which leaves the ref's add_list member
 not reinitialized, as list_del() sets the next and prev members of the
 list to LIST_POISON1 and LIST_POISON2, respectively.

 If later we end up calling drop_delayed_ref() against the ref, which can
 happen during merging or when destroying delayed refs due to a transaction
 abort, we can trigger a crash since at drop_delayed_ref() we call
 list_empty() against the ref's add_list, which returns false since
 the list was not reinitialized after the list_del() and as a consequence
 we call list_del() again at drop_delayed_ref(). This results in an
 invalid list access since the next and prev members are set to poison
 pointers, resulting in a splat if CONFIG_LIST_HARDENED and
 CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences
 otherwise.

 So fix this by deleting from the list with list_del_init() instead.

 The Linux kernel CVE team has assigned CVE-2024-50273 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 4.19.324 with commit 2fd0948a483e9cb2d669c7199bc620a21c97673d
 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 5.4.286 with commit 93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb
 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 5.10.230 with commit bf0b0c6d159767c0d1c21f793950d78486690ee0
 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 5.15.172 with commit c24fa427fc0ae827b2a3a07f13738cbf82c3f851
 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.1.117 with commit 2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6
 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.6.61 with commit f04be6d68f715c1473a8422fc0460f57b5e99931
 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.11.8 with commit 50a3933760b427759afdd23156a7280a19357a92
 	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.12 with commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50273
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/delayed-ref.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2fd0948a483e9cb2d669c7199bc620a21c97673d
 	https://git.kernel.org/stable/c/93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb
 	https://git.kernel.org/stable/c/bf0b0c6d159767c0d1c21f793950d78486690ee0
 	https://git.kernel.org/stable/c/c24fa427fc0ae827b2a3a07f13738cbf82c3f851
 	https://git.kernel.org/stable/c/2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6
 	https://git.kernel.org/stable/c/f04be6d68f715c1473a8422fc0460f57b5e99931
 	https://git.kernel.org/stable/c/50a3933760b427759afdd23156a7280a19357a92
 	https://git.kernel.org/stable/c/c9a75ec45f1111ef530ab186c2a7684d0a0c9245
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50273: btrfs: reinitialize delayed ref list after deleting it from the list

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: reinitialize delayed ref list after deleting it from the list

	At insert_delayed_ref() if we need to update the action of an existing
	ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's
	ref_add_list using list_del(), which leaves the ref's add_list member
	not reinitialized, as list_del() sets the next and prev members of the
	list to LIST_POISON1 and LIST_POISON2, respectively.

	If later we end up calling drop_delayed_ref() against the ref, which can
	happen during merging or when destroying delayed refs due to a transaction
	abort, we can trigger a crash since at drop_delayed_ref() we call
	list_empty() against the ref's add_list, which returns false since
	the list was not reinitialized after the list_del() and as a consequence
	we call list_del() again at drop_delayed_ref(). This results in an
	invalid list access since the next and prev members are set to poison
	pointers, resulting in a splat if CONFIG_LIST_HARDENED and
	CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences
	otherwise.

	So fix this by deleting from the list with list_del_init() instead.

	The Linux kernel CVE team has assigned CVE-2024-50273 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 4.19.324 with commit 2fd0948a483e9cb2d669c7199bc620a21c97673d
	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 5.4.286 with commit 93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb
	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 5.10.230 with commit bf0b0c6d159767c0d1c21f793950d78486690ee0
	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 5.15.172 with commit c24fa427fc0ae827b2a3a07f13738cbf82c3f851
	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.1.117 with commit 2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6
	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.6.61 with commit f04be6d68f715c1473a8422fc0460f57b5e99931
	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.11.8 with commit 50a3933760b427759afdd23156a7280a19357a92
	Issue introduced in 4.10 with commit 1d57ee941692d0cc928526e21a1557b2ae3e11db and fixed in 6.12 with commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50273
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/delayed-ref.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2fd0948a483e9cb2d669c7199bc620a21c97673d
	https://git.kernel.org/stable/c/93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb
	https://git.kernel.org/stable/c/bf0b0c6d159767c0d1c21f793950d78486690ee0
	https://git.kernel.org/stable/c/c24fa427fc0ae827b2a3a07f13738cbf82c3f851
	https://git.kernel.org/stable/c/2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6
	https://git.kernel.org/stable/c/f04be6d68f715c1473a8422fc0460f57b5e99931
	https://git.kernel.org/stable/c/50a3933760b427759afdd23156a7280a19357a92
	https://git.kernel.org/stable/c/c9a75ec45f1111ef530ab186c2a7684d0a0c9245