cve/published/2024/CVE-2024-35798.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35798: btrfs: fix race in read_extent_buffer_pages()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: fix race in read_extent_buffer_pages()

 There are reports from tree-checker that detects corrupted nodes,
 without any obvious pattern so possibly an overwrite in memory.
 After some debugging it turns out there's a race when reading an extent
 buffer the uptodate status can be missed.

 To prevent concurrent reads for the same extent buffer,
 read_extent_buffer_pages() performs these checks:

     /* (1) */
     if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
         return 0;

     /* (2) */
     if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))
         goto done;

 At this point, it seems safe to start the actual read operation. Once
 that completes, end_bbio_meta_read() does

     /* (3) */
     set_extent_buffer_uptodate(eb);

     /* (4) */
     clear_bit(EXTENT_BUFFER_READING, &eb->bflags);

 Normally, this is enough to ensure only one read happens, and all other
 callers wait for it to finish before returning.  Unfortunately, there is
 a racey interleaving:

     Thread A | Thread B | Thread C
     ---------+----------+---------
        (1)   |          |
              |    (1)   |
        (2)   |          |
        (3)   |          |
        (4)   |          |
              |    (2)   |
              |          |    (1)

 When this happens, thread B kicks of an unnecessary read. Worse, thread
 C will see UPTODATE set and return immediately, while the read from
 thread B is still in progress.  This race could result in tree-checker
 errors like this as the extent buffer is concurrently modified:

     BTRFS critical (device dm-0): corrupted node, root=256
     block=8550954455682405139 owner mismatch, have 11858205567642294356
     expect [256, 18446744073709551360]

 Fix it by testing UPTODATE again after setting the READING bit, and if
 it's been set, skip the unnecessary read.

 [ minor update of changelog ]

 The Linux kernel CVE team has assigned CVE-2024-35798 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.6.24 with commit 0427c8ef8bbb7f304de42ef51d69c960e165e052
 	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.7.12 with commit 3a25878a3378adce5d846300c9570f15aa7f7a80
 	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.8.3 with commit 2885d54af2c2e1d910e20d5c8045bae40e02fbc1
 	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.9 with commit ef1e68236b9153c27cb7cf29ead0c532870d4215

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35798
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/extent_io.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052
 	https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80
 	https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1
 	https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35798: btrfs: fix race in read_extent_buffer_pages()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: fix race in read_extent_buffer_pages()

	There are reports from tree-checker that detects corrupted nodes,
	without any obvious pattern so possibly an overwrite in memory.
	After some debugging it turns out there's a race when reading an extent
	buffer the uptodate status can be missed.

	To prevent concurrent reads for the same extent buffer,
	read_extent_buffer_pages() performs these checks:

	/* (1) */
	if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
	return 0;

	/* (2) */
	if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))
	goto done;

	At this point, it seems safe to start the actual read operation. Once
	that completes, end_bbio_meta_read() does

	/* (3) */
	set_extent_buffer_uptodate(eb);

	/* (4) */
	clear_bit(EXTENT_BUFFER_READING, &eb->bflags);

	Normally, this is enough to ensure only one read happens, and all other
	callers wait for it to finish before returning. Unfortunately, there is
	a racey interleaving:

	Thread A \| Thread B \| Thread C
	---------+----------+---------
	(1) \| \|
	\| (1) \|
	(2) \| \|
	(3) \| \|
	(4) \| \|
	\| (2) \|
	\| \| (1)

	When this happens, thread B kicks of an unnecessary read. Worse, thread
	C will see UPTODATE set and return immediately, while the read from
	thread B is still in progress. This race could result in tree-checker
	errors like this as the extent buffer is concurrently modified:

	BTRFS critical (device dm-0): corrupted node, root=256
	block=8550954455682405139 owner mismatch, have 11858205567642294356
	expect [256, 18446744073709551360]

	Fix it by testing UPTODATE again after setting the READING bit, and if
	it's been set, skip the unnecessary read.

	[ minor update of changelog ]

	The Linux kernel CVE team has assigned CVE-2024-35798 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.6.24 with commit 0427c8ef8bbb7f304de42ef51d69c960e165e052
	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.7.12 with commit 3a25878a3378adce5d846300c9570f15aa7f7a80
	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.8.3 with commit 2885d54af2c2e1d910e20d5c8045bae40e02fbc1
	Issue introduced in 6.5 with commit d7172f52e9933b6ec9305e7fe6e829e3939dba04 and fixed in 6.9 with commit ef1e68236b9153c27cb7cf29ead0c532870d4215

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35798
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/extent_io.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052
	https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80
	https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1
	https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215