cve/published/2024/CVE-2024-26727.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26727: btrfs: do not ASSERT() if the newly created subvolume already got read

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: do not ASSERT() if the newly created subvolume already got read

 [BUG]
 There is a syzbot crash, triggered by the ASSERT() during subvolume
 creation:

  assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319
  ------------[ cut here ]------------
  kernel BUG at fs/btrfs/disk-io.c:1319!
  invalid opcode: 0000 [#1] PREEMPT SMP KASAN
  RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60
   <TASK>
   btrfs_get_new_fs_root+0xd3/0xf0
   create_subvol+0xd02/0x1650
   btrfs_mksubvol+0xe95/0x12b0
   __btrfs_ioctl_snap_create+0x2f9/0x4f0
   btrfs_ioctl_snap_create+0x16b/0x200
   btrfs_ioctl+0x35f0/0x5cf0
   __x64_sys_ioctl+0x19d/0x210
   do_syscall_64+0x3f/0xe0
   entry_SYSCALL_64_after_hwframe+0x63/0x6b
  ---[ end trace 0000000000000000 ]---

 [CAUSE]
 During create_subvol(), after inserting root item for the newly created
 subvolume, we would trigger btrfs_get_new_fs_root() to get the
 btrfs_root of that subvolume.

 The idea here is, we have preallocated an anonymous device number for
 the subvolume, thus we can assign it to the new subvolume.

 But there is really nothing preventing things like backref walk to read
 the new subvolume.
 If that happens before we call btrfs_get_new_fs_root(), the subvolume
 would be read out, with a new anonymous device number assigned already.

 In that case, we would trigger ASSERT(), as we really expect no one to
 read out that subvolume (which is not yet accessible from the fs).
 But things like backref walk is still possible to trigger the read on
 the subvolume.

 Thus our assumption on the ASSERT() is not correct in the first place.

 [FIX]
 Fix it by removing the ASSERT(), and just free the @anon_dev, reset it
 to 0, and continue.

 If the subvolume tree is read out by something else, it should have
 already get a new anon_dev assigned thus we only need to free the
 preallocated one.

 The Linux kernel CVE team has assigned CVE-2024-26727 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 5.10.210 with commit 3f5d47eb163bceb1b9e613c9003bae5fefc0046f
 	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 5.15.149 with commit e31546b0f34af21738c4ceac47d662c00ee6382f
 	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.1.79 with commit 66b317a2fc45b2ef66527ee3f8fa08fb5beab88d
 	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.6.18 with commit 833775656d447c545133a744a0ed1e189ce61430
 	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.7.6 with commit 5a172344bfdabb46458e03708735d7b1a918c468
 	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.8 with commit e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb
 	Issue introduced in 5.8.3 with commit 917d608fe375041eb7f29befa6a6d7fd3cf32dde

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26727
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/disk-io.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f
 	https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f
 	https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d
 	https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430
 	https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468
 	https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26727: btrfs: do not ASSERT() if the newly created subvolume already got read

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: do not ASSERT() if the newly created subvolume already got read

	[BUG]
	There is a syzbot crash, triggered by the ASSERT() during subvolume
	creation:

	assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319
	------------[ cut here ]------------
	kernel BUG at fs/btrfs/disk-io.c:1319!
	invalid opcode: 0000 [#1] PREEMPT SMP KASAN
	RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60
	<TASK>
	btrfs_get_new_fs_root+0xd3/0xf0
	create_subvol+0xd02/0x1650
	btrfs_mksubvol+0xe95/0x12b0
	__btrfs_ioctl_snap_create+0x2f9/0x4f0
	btrfs_ioctl_snap_create+0x16b/0x200
	btrfs_ioctl+0x35f0/0x5cf0
	__x64_sys_ioctl+0x19d/0x210
	do_syscall_64+0x3f/0xe0
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	---[ end trace 0000000000000000 ]---

	[CAUSE]
	During create_subvol(), after inserting root item for the newly created
	subvolume, we would trigger btrfs_get_new_fs_root() to get the
	btrfs_root of that subvolume.

	The idea here is, we have preallocated an anonymous device number for
	the subvolume, thus we can assign it to the new subvolume.

	But there is really nothing preventing things like backref walk to read
	the new subvolume.
	If that happens before we call btrfs_get_new_fs_root(), the subvolume
	would be read out, with a new anonymous device number assigned already.

	In that case, we would trigger ASSERT(), as we really expect no one to
	read out that subvolume (which is not yet accessible from the fs).
	But things like backref walk is still possible to trigger the read on
	the subvolume.

	Thus our assumption on the ASSERT() is not correct in the first place.

	[FIX]
	Fix it by removing the ASSERT(), and just free the @anon_dev, reset it
	to 0, and continue.

	If the subvolume tree is read out by something else, it should have
	already get a new anon_dev assigned thus we only need to free the
	preallocated one.

	The Linux kernel CVE team has assigned CVE-2024-26727 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 5.10.210 with commit 3f5d47eb163bceb1b9e613c9003bae5fefc0046f
	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 5.15.149 with commit e31546b0f34af21738c4ceac47d662c00ee6382f
	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.1.79 with commit 66b317a2fc45b2ef66527ee3f8fa08fb5beab88d
	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.6.18 with commit 833775656d447c545133a744a0ed1e189ce61430
	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.7.6 with commit 5a172344bfdabb46458e03708735d7b1a918c468
	Issue introduced in 5.9 with commit 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 and fixed in 6.8 with commit e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb
	Issue introduced in 5.8.3 with commit 917d608fe375041eb7f29befa6a6d7fd3cf32dde

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26727
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/disk-io.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f
	https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f
	https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d
	https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430
	https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468
	https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb