cve/published/2024/CVE-2024-56582.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56582: btrfs: fix use-after-free in btrfs_encoded_read_endio()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: fix use-after-free in btrfs_encoded_read_endio()

 Shinichiro reported the following use-after free that sometimes is
 happening in our CI system when running fstests' btrfs/284 on a TCMU
 runner device:

   BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780
   Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219

   CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15
   Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020
   Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
   Call Trace:
    <TASK>
    dump_stack_lvl+0x6e/0xa0
    ? lock_release+0x708/0x780
    print_report+0x174/0x505
    ? lock_release+0x708/0x780
    ? __virt_addr_valid+0x224/0x410
    ? lock_release+0x708/0x780
    kasan_report+0xda/0x1b0
    ? lock_release+0x708/0x780
    ? __wake_up+0x44/0x60
    lock_release+0x708/0x780
    ? __pfx_lock_release+0x10/0x10
    ? __pfx_do_raw_spin_lock+0x10/0x10
    ? lock_is_held_type+0x9a/0x110
    _raw_spin_unlock_irqrestore+0x1f/0x60
    __wake_up+0x44/0x60
    btrfs_encoded_read_endio+0x14b/0x190 [btrfs]
    btrfs_check_read_bio+0x8d9/0x1360 [btrfs]
    ? lock_release+0x1b0/0x780
    ? trace_lock_acquire+0x12f/0x1a0
    ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs]
    ? process_one_work+0x7e3/0x1460
    ? lock_acquire+0x31/0xc0
    ? process_one_work+0x7e3/0x1460
    process_one_work+0x85c/0x1460
    ? __pfx_process_one_work+0x10/0x10
    ? assign_work+0x16c/0x240
    worker_thread+0x5e6/0xfc0
    ? __pfx_worker_thread+0x10/0x10
    kthread+0x2c3/0x3a0
    ? __pfx_kthread+0x10/0x10
    ret_from_fork+0x31/0x70
    ? __pfx_kthread+0x10/0x10
    ret_from_fork_asm+0x1a/0x30
    </TASK>

   Allocated by task 3661:
    kasan_save_stack+0x30/0x50
    kasan_save_track+0x14/0x30
    __kasan_kmalloc+0xaa/0xb0
    btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs]
    send_extent_data+0xf0f/0x24a0 [btrfs]
    process_extent+0x48a/0x1830 [btrfs]
    changed_cb+0x178b/0x2ea0 [btrfs]
    btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]
    _btrfs_ioctl_send+0x117/0x330 [btrfs]
    btrfs_ioctl+0x184a/0x60a0 [btrfs]
    __x64_sys_ioctl+0x12e/0x1a0
    do_syscall_64+0x95/0x180
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

   Freed by task 3661:
    kasan_save_stack+0x30/0x50
    kasan_save_track+0x14/0x30
    kasan_save_free_info+0x3b/0x70
    __kasan_slab_free+0x4f/0x70
    kfree+0x143/0x490
    btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs]
    send_extent_data+0xf0f/0x24a0 [btrfs]
    process_extent+0x48a/0x1830 [btrfs]
    changed_cb+0x178b/0x2ea0 [btrfs]
    btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]
    _btrfs_ioctl_send+0x117/0x330 [btrfs]
    btrfs_ioctl+0x184a/0x60a0 [btrfs]
    __x64_sys_ioctl+0x12e/0x1a0
    do_syscall_64+0x95/0x180
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

   The buggy address belongs to the object at ffff888106a83f00
    which belongs to the cache kmalloc-rnd-07-96 of size 96
   The buggy address is located 24 bytes inside of
    freed 96-byte region [ffff888106a83f00, ffff888106a83f60)

   The buggy address belongs to the physical page:
   page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83
   flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
   page_type: f5(slab)
   raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004
   raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000
   page dumped because: kasan: bad access detected

   Memory state around the buggy address:
    ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
    ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
   >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                               ^
    ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
    ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   ==================================================================

 Further analyzing the trace and the crash dump's vmcore file shows that
 the wake_up() call in btrfs_encoded_read_endio() is calling wake_up() on
 the wait_queue that is in the private data passed to the end_io handler.

 Commit 4ff47df40447 ("btrfs: move priv off stack in
 btrfs_encoded_read_regular_fill_pages()") moved 'struct
 btrfs_encoded_read_private' off the stack.

 Before that commit one can see a corruption of the private data when
 analyzing the vmcore after a crash:

 *(struct btrfs_encoded_read_private *)0xffff88815626eec8 = {
 	.wait = (wait_queue_head_t){
 		.lock = (spinlock_t){
 			.rlock = (struct raw_spinlock){
 				.raw_lock = (arch_spinlock_t){
 					.val = (atomic_t){
 						.counter = (int)-2005885696,
 					},
 					.locked = (u8)0,
 					.pending = (u8)157,
 					.locked_pending = (u16)40192,
 					.tail = (u16)34928,
 				},
 				.magic = (unsigned int)536325682,
 				.owner_cpu = (unsigned int)29,
 				.owner = (void *)__SCT__tp_func_btrfs_transaction_commit+0x0 = 0x0,
 				.dep_map = (struct lockdep_map){
 					.key = (struct lock_class_key *)0xffff8881575a3b6c,
 					.class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 },
 					.name = (const char *)0xffff88815626f100 = "",
 					.wait_type_outer = (u8)37,
 					.wait_type_inner = (u8)178,
 					.lock_type = (u8)154,
 				},
 			},
 			.__padding = (u8 [24]){ 0, 157, 112, 136, 50, 174, 247, 31, 29 },
 			.dep_map = (struct lockdep_map){
 				.key = (struct lock_class_key *)0xffff8881575a3b6c,
 				.class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 },
 				.name = (const char *)0xffff88815626f100 = "",
 				.wait_type_outer = (u8)37,
 				.wait_type_inner = (u8)178,
 				.lock_type = (u8)154,
 			},
 		},
 		.head = (struct list_head){
 			.next = (struct list_head *)0x112cca,
 			.prev = (struct list_head *)0x47,
 		},
 	},
 	.pending = (atomic_t){
 		.counter = (int)-1491499288,
 	},
 	.status = (blk_status_t)130,
 }

 Here we can see several indicators of in-memory data corruption, e.g. the
 large negative atomic values of ->pending or
 ->wait->lock->rlock->raw_lock->val, as well as the bogus spinlock magic
 0x1ff7ae32 (decimal 536325682 above) instead of 0xdead4ead or the bogus
 pointer values for ->wait->head.

 To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the
 corruption, as atomic_dec_return() is defined as two instructions on
 x86_64, whereas atomic_dec_and_test() is defined as a single atomic
 operation. This can lead to a situation where counter value is already
 decremented but the if statement in btrfs_encoded_read_endio() is not
 completely processed, i.e. the 0 test has not completed. If another thread
 continues executing btrfs_encoded_read_regular_fill_pages() the
 atomic_dec_return() there can see an already updated ->pending counter and
 continues by freeing the private data. Continuing in the endio handler the
 test for 0 succeeds and the wait_queue is woken up, resulting in a
 use-after-free.

 The Linux kernel CVE team has assigned CVE-2024-56582 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.1.124 with commit a40de0330af4fb7bc6b354250c24f294f8b826a0
 	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.6.70 with commit 6228f13f1996a4feb9b601d6644bf0bfe03671dd
 	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.12.4 with commit f8a5129e4a9fc3f6aa3f137513253b51b31b94d4
 	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.13 with commit 05b36b04d74a517d6675bf2f90829ff1ac7e28dc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56582
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/inode.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a40de0330af4fb7bc6b354250c24f294f8b826a0
 	https://git.kernel.org/stable/c/6228f13f1996a4feb9b601d6644bf0bfe03671dd
 	https://git.kernel.org/stable/c/f8a5129e4a9fc3f6aa3f137513253b51b31b94d4
 	https://git.kernel.org/stable/c/05b36b04d74a517d6675bf2f90829ff1ac7e28dc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56582: btrfs: fix use-after-free in btrfs_encoded_read_endio()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: fix use-after-free in btrfs_encoded_read_endio()

	Shinichiro reported the following use-after free that sometimes is
	happening in our CI system when running fstests' btrfs/284 on a TCMU
	runner device:

	BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780
	Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219

	CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15
	Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020
	Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
	Call Trace:
	<TASK>
	dump_stack_lvl+0x6e/0xa0
	? lock_release+0x708/0x780
	print_report+0x174/0x505
	? lock_release+0x708/0x780
	? __virt_addr_valid+0x224/0x410
	? lock_release+0x708/0x780
	kasan_report+0xda/0x1b0
	? lock_release+0x708/0x780
	? __wake_up+0x44/0x60
	lock_release+0x708/0x780
	? __pfx_lock_release+0x10/0x10
	? __pfx_do_raw_spin_lock+0x10/0x10
	? lock_is_held_type+0x9a/0x110
	_raw_spin_unlock_irqrestore+0x1f/0x60
	__wake_up+0x44/0x60
	btrfs_encoded_read_endio+0x14b/0x190 [btrfs]
	btrfs_check_read_bio+0x8d9/0x1360 [btrfs]
	? lock_release+0x1b0/0x780
	? trace_lock_acquire+0x12f/0x1a0
	? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs]
	? process_one_work+0x7e3/0x1460
	? lock_acquire+0x31/0xc0
	? process_one_work+0x7e3/0x1460
	process_one_work+0x85c/0x1460
	? __pfx_process_one_work+0x10/0x10
	? assign_work+0x16c/0x240
	worker_thread+0x5e6/0xfc0
	? __pfx_worker_thread+0x10/0x10
	kthread+0x2c3/0x3a0
	? __pfx_kthread+0x10/0x10
	ret_from_fork+0x31/0x70
	? __pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1a/0x30
	</TASK>

	Allocated by task 3661:
	kasan_save_stack+0x30/0x50
	kasan_save_track+0x14/0x30
	__kasan_kmalloc+0xaa/0xb0
	btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs]
	send_extent_data+0xf0f/0x24a0 [btrfs]
	process_extent+0x48a/0x1830 [btrfs]
	changed_cb+0x178b/0x2ea0 [btrfs]
	btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]
	_btrfs_ioctl_send+0x117/0x330 [btrfs]
	btrfs_ioctl+0x184a/0x60a0 [btrfs]
	__x64_sys_ioctl+0x12e/0x1a0
	do_syscall_64+0x95/0x180
	entry_SYSCALL_64_after_hwframe+0x76/0x7e

	Freed by task 3661:
	kasan_save_stack+0x30/0x50
	kasan_save_track+0x14/0x30
	kasan_save_free_info+0x3b/0x70
	__kasan_slab_free+0x4f/0x70
	kfree+0x143/0x490
	btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs]
	send_extent_data+0xf0f/0x24a0 [btrfs]
	process_extent+0x48a/0x1830 [btrfs]
	changed_cb+0x178b/0x2ea0 [btrfs]
	btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]
	_btrfs_ioctl_send+0x117/0x330 [btrfs]
	btrfs_ioctl+0x184a/0x60a0 [btrfs]
	__x64_sys_ioctl+0x12e/0x1a0
	do_syscall_64+0x95/0x180
	entry_SYSCALL_64_after_hwframe+0x76/0x7e

	The buggy address belongs to the object at ffff888106a83f00
	which belongs to the cache kmalloc-rnd-07-96 of size 96
	The buggy address is located 24 bytes inside of
	freed 96-byte region [ffff888106a83f00, ffff888106a83f60)

	The buggy address belongs to the physical page:
	page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83
	flags: 0x17ffffc0000000(node=0\|zone=2\|lastcpupid=0x1fffff)
	page_type: f5(slab)
	raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004
	raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000
	page dumped because: kasan: bad access detected

	Memory state around the buggy address:
	ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	>ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	^
	ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	==================================================================

	Further analyzing the trace and the crash dump's vmcore file shows that
	the wake_up() call in btrfs_encoded_read_endio() is calling wake_up() on
	the wait_queue that is in the private data passed to the end_io handler.

	Commit 4ff47df40447 ("btrfs: move priv off stack in
	btrfs_encoded_read_regular_fill_pages()") moved 'struct
	btrfs_encoded_read_private' off the stack.

	Before that commit one can see a corruption of the private data when
	analyzing the vmcore after a crash:

	(struct btrfs_encoded_read_private )0xffff88815626eec8 = {
	.wait = (wait_queue_head_t){
	.lock = (spinlock_t){
	.rlock = (struct raw_spinlock){
	.raw_lock = (arch_spinlock_t){
	.val = (atomic_t){
	.counter = (int)-2005885696,
	},
	.locked = (u8)0,
	.pending = (u8)157,
	.locked_pending = (u16)40192,
	.tail = (u16)34928,
	},
	.magic = (unsigned int)536325682,
	.owner_cpu = (unsigned int)29,
	.owner = (void *)__SCT__tp_func_btrfs_transaction_commit+0x0 = 0x0,
	.dep_map = (struct lockdep_map){
	.key = (struct lock_class_key *)0xffff8881575a3b6c,
	.class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 },
	.name = (const char *)0xffff88815626f100 = "",
	.wait_type_outer = (u8)37,
	.wait_type_inner = (u8)178,
	.lock_type = (u8)154,
	},
	},
	.__padding = (u8 [24]){ 0, 157, 112, 136, 50, 174, 247, 31, 29 },
	.dep_map = (struct lockdep_map){
	.key = (struct lock_class_key *)0xffff8881575a3b6c,
	.class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 },
	.name = (const char *)0xffff88815626f100 = "",
	.wait_type_outer = (u8)37,
	.wait_type_inner = (u8)178,
	.lock_type = (u8)154,
	},
	},
	.head = (struct list_head){
	.next = (struct list_head *)0x112cca,
	.prev = (struct list_head *)0x47,
	},
	},
	.pending = (atomic_t){
	.counter = (int)-1491499288,
	},
	.status = (blk_status_t)130,
	}

	Here we can see several indicators of in-memory data corruption, e.g. the
	large negative atomic values of ->pending or
	->wait->lock->rlock->raw_lock->val, as well as the bogus spinlock magic
	0x1ff7ae32 (decimal 536325682 above) instead of 0xdead4ead or the bogus
	pointer values for ->wait->head.

	To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the
	corruption, as atomic_dec_return() is defined as two instructions on
	x86_64, whereas atomic_dec_and_test() is defined as a single atomic
	operation. This can lead to a situation where counter value is already
	decremented but the if statement in btrfs_encoded_read_endio() is not
	completely processed, i.e. the 0 test has not completed. If another thread
	continues executing btrfs_encoded_read_regular_fill_pages() the
	atomic_dec_return() there can see an already updated ->pending counter and
	continues by freeing the private data. Continuing in the endio handler the
	test for 0 succeeds and the wait_queue is woken up, resulting in a
	use-after-free.

	The Linux kernel CVE team has assigned CVE-2024-56582 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.1.124 with commit a40de0330af4fb7bc6b354250c24f294f8b826a0
	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.6.70 with commit 6228f13f1996a4feb9b601d6644bf0bfe03671dd
	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.12.4 with commit f8a5129e4a9fc3f6aa3f137513253b51b31b94d4
	Issue introduced in 5.18 with commit 1881fba89bd5dcd364d2e1bf561912a90a11c21a and fixed in 6.13 with commit 05b36b04d74a517d6675bf2f90829ff1ac7e28dc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56582
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/inode.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a40de0330af4fb7bc6b354250c24f294f8b826a0
	https://git.kernel.org/stable/c/6228f13f1996a4feb9b601d6644bf0bfe03671dd
	https://git.kernel.org/stable/c/f8a5129e4a9fc3f6aa3f137513253b51b31b94d4
	https://git.kernel.org/stable/c/05b36b04d74a517d6675bf2f90829ff1ac7e28dc