cve/published/2024/CVE-2024-35849.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35849: btrfs: fix information leak in btrfs_ioctl_logical_to_ino()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: fix information leak in btrfs_ioctl_logical_to_ino()

 Syzbot reported the following information leak for in
 btrfs_ioctl_logical_to_ino():

   BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
   BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40
    instrument_copy_to_user include/linux/instrumented.h:114 [inline]
    _copy_to_user+0xbc/0x110 lib/usercopy.c:40
    copy_to_user include/linux/uaccess.h:191 [inline]
    btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499
    btrfs_ioctl+0x714/0x1260
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:904 [inline]
    __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
    __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
    x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

   Uninit was created at:
    __kmalloc_large_node+0x231/0x370 mm/slub.c:3921
    __do_kmalloc_node mm/slub.c:3954 [inline]
    __kmalloc_node+0xb07/0x1060 mm/slub.c:3973
    kmalloc_node include/linux/slab.h:648 [inline]
    kvmalloc_node+0xc0/0x2d0 mm/util.c:634
    kvmalloc include/linux/slab.h:766 [inline]
    init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779
    btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480
    btrfs_ioctl+0x714/0x1260
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:904 [inline]
    __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
    __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
    x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

   Bytes 40-65535 of 65536 are uninitialized
   Memory access of size 65536 starts at ffff888045a40000

 This happens, because we're copying a 'struct btrfs_data_container' back
 to user-space. This btrfs_data_container is allocated in
 'init_data_container()' via kvmalloc(), which does not zero-fill the
 memory.

 Fix this by using kvzalloc() which zeroes out the memory on allocation.

 The Linux kernel CVE team has assigned CVE-2024-35849 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.313 with commit 689efe22e9b5b7d9d523119a9a5c3c17107a0772
 	Fixed in 5.4.275 with commit 73db209dcd4ae026021234d40cfcb2fb5b564b86
 	Fixed in 5.10.216 with commit 30189e54ba80e3209d34cfeea87b848f6ae025e6
 	Fixed in 5.15.158 with commit e58047553a4e859dafc8d1d901e1de77c9dd922d
 	Fixed in 6.1.90 with commit 8bdbcfaf3eac42f98e5486b3d7e130fa287811f6
 	Fixed in 6.6.30 with commit 3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc
 	Fixed in 6.8.9 with commit fddc19631c51d9c17d43e9f822a7bc403af88d54
 	Fixed in 6.9 with commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35849
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/backref.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772
 	https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86
 	https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6
 	https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d
 	https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6
 	https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc
 	https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54
 	https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35849: btrfs: fix information leak in btrfs_ioctl_logical_to_ino()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: fix information leak in btrfs_ioctl_logical_to_ino()

	Syzbot reported the following information leak for in
	btrfs_ioctl_logical_to_ino():

	BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
	BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40
	instrument_copy_to_user include/linux/instrumented.h:114 [inline]
	_copy_to_user+0xbc/0x110 lib/usercopy.c:40
	copy_to_user include/linux/uaccess.h:191 [inline]
	btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499
	btrfs_ioctl+0x714/0x1260
	vfs_ioctl fs/ioctl.c:51 [inline]
	__do_sys_ioctl fs/ioctl.c:904 [inline]
	__se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
	__x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
	x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Uninit was created at:
	__kmalloc_large_node+0x231/0x370 mm/slub.c:3921
	__do_kmalloc_node mm/slub.c:3954 [inline]
	__kmalloc_node+0xb07/0x1060 mm/slub.c:3973
	kmalloc_node include/linux/slab.h:648 [inline]
	kvmalloc_node+0xc0/0x2d0 mm/util.c:634
	kvmalloc include/linux/slab.h:766 [inline]
	init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779
	btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480
	btrfs_ioctl+0x714/0x1260
	vfs_ioctl fs/ioctl.c:51 [inline]
	__do_sys_ioctl fs/ioctl.c:904 [inline]
	__se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
	__x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
	x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Bytes 40-65535 of 65536 are uninitialized
	Memory access of size 65536 starts at ffff888045a40000

	This happens, because we're copying a 'struct btrfs_data_container' back
	to user-space. This btrfs_data_container is allocated in
	'init_data_container()' via kvmalloc(), which does not zero-fill the
	memory.

	Fix this by using kvzalloc() which zeroes out the memory on allocation.

	The Linux kernel CVE team has assigned CVE-2024-35849 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.313 with commit 689efe22e9b5b7d9d523119a9a5c3c17107a0772
	Fixed in 5.4.275 with commit 73db209dcd4ae026021234d40cfcb2fb5b564b86
	Fixed in 5.10.216 with commit 30189e54ba80e3209d34cfeea87b848f6ae025e6
	Fixed in 5.15.158 with commit e58047553a4e859dafc8d1d901e1de77c9dd922d
	Fixed in 6.1.90 with commit 8bdbcfaf3eac42f98e5486b3d7e130fa287811f6
	Fixed in 6.6.30 with commit 3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc
	Fixed in 6.8.9 with commit fddc19631c51d9c17d43e9f822a7bc403af88d54
	Fixed in 6.9 with commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35849
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/backref.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772
	https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86
	https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6
	https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d
	https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6
	https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc
	https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54
	https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf