cve/published/2024/CVE-2024-35949.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: make sure that WRITTEN is set on all metadata blocks

 We previously would call btrfs_check_leaf() if we had the check
 integrity code enabled, which meant that we could only run the extended
 leaf checks if we had WRITTEN set on the header flags.

 This leaves a gap in our checking, because we could end up with
 corruption on disk where WRITTEN isn't set on the leaf, and then the
 extended leaf checks don't get run which we rely on to validate all of
 the item pointers to make sure we don't access memory outside of the
 extent buffer.

 However, since 732fab95abe2 ("btrfs: check-integrity: remove
 CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call
 btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only
 ever call it on blocks that are being written out, and thus have WRITTEN
 set, or that are being read in, which should have WRITTEN set.

 Add checks to make sure we have WRITTEN set appropriately, and then make
 sure __btrfs_check_leaf() always does the item checking.  This will
 protect us from file systems that have been corrupted and no longer have
 WRITTEN set on some of the blocks.

 This was hit on a crafted image tweaking the WRITTEN bit and reported by
 KASAN as out-of-bound access in the eb accessors. The example is a dir
 item at the end of an eb.

   [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2
   [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
   [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]
   [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1
   [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
   [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0
   [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206
   [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0
   [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748
   [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9
   [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a
   [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8
   [2.621] FS:  00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
   [2.621] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0
   [2.621] Call Trace:
   [2.621]  <TASK>
   [2.621]  ? show_regs+0x74/0x80
   [2.621]  ? die_addr+0x46/0xc0
   [2.621]  ? exc_general_protection+0x161/0x2a0
   [2.621]  ? asm_exc_general_protection+0x26/0x30
   [2.621]  ? btrfs_get_16+0x33a/0x6d0
   [2.621]  ? btrfs_get_16+0x34b/0x6d0
   [2.621]  ? btrfs_get_16+0x33a/0x6d0
   [2.621]  ? __pfx_btrfs_get_16+0x10/0x10
   [2.621]  ? __pfx_mutex_unlock+0x10/0x10
   [2.621]  btrfs_match_dir_item_name+0x101/0x1a0
   [2.621]  btrfs_lookup_dir_item+0x1f3/0x280
   [2.621]  ? __pfx_btrfs_lookup_dir_item+0x10/0x10
   [2.621]  btrfs_get_tree+0xd25/0x1910

 [ copy more details from report ]

 The Linux kernel CVE team has assigned CVE-2024-35949 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.85 with commit 9dff3e36ea89e8003516841c27c45af562b6ef44
 	Fixed in 6.8.10 with commit ef3ba8ce8cf7075b716aa4afcefc3034215878ee
 	Fixed in 6.9 with commit e03418abde871314e1a3a550f4c8afb7b89cb273

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35949
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/tree-checker.c
 	fs/btrfs/tree-checker.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9dff3e36ea89e8003516841c27c45af562b6ef44
 	https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee
 	https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: make sure that WRITTEN is set on all metadata blocks

	We previously would call btrfs_check_leaf() if we had the check
	integrity code enabled, which meant that we could only run the extended
	leaf checks if we had WRITTEN set on the header flags.

	This leaves a gap in our checking, because we could end up with
	corruption on disk where WRITTEN isn't set on the leaf, and then the
	extended leaf checks don't get run which we rely on to validate all of
	the item pointers to make sure we don't access memory outside of the
	extent buffer.

	However, since 732fab95abe2 ("btrfs: check-integrity: remove
	CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call
	btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only
	ever call it on blocks that are being written out, and thus have WRITTEN
	set, or that are being read in, which should have WRITTEN set.

	Add checks to make sure we have WRITTEN set appropriately, and then make
	sure __btrfs_check_leaf() always does the item checking. This will
	protect us from file systems that have been corrupted and no longer have
	WRITTEN set on some of the blocks.

	This was hit on a crafted image tweaking the WRITTEN bit and reported by
	KASAN as out-of-bound access in the eb accessors. The example is a dir
	item at the end of an eb.

	[2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2
	[2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
	[2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]
	[2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1
	[2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	[2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0
	[2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206
	[2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0
	[2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748
	[2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9
	[2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a
	[2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8
	[2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
	[2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0
	[2.621] Call Trace:
	[2.621] <TASK>
	[2.621] ? show_regs+0x74/0x80
	[2.621] ? die_addr+0x46/0xc0
	[2.621] ? exc_general_protection+0x161/0x2a0
	[2.621] ? asm_exc_general_protection+0x26/0x30
	[2.621] ? btrfs_get_16+0x33a/0x6d0
	[2.621] ? btrfs_get_16+0x34b/0x6d0
	[2.621] ? btrfs_get_16+0x33a/0x6d0
	[2.621] ? __pfx_btrfs_get_16+0x10/0x10
	[2.621] ? __pfx_mutex_unlock+0x10/0x10
	[2.621] btrfs_match_dir_item_name+0x101/0x1a0
	[2.621] btrfs_lookup_dir_item+0x1f3/0x280
	[2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10
	[2.621] btrfs_get_tree+0xd25/0x1910

	[ copy more details from report ]

	The Linux kernel CVE team has assigned CVE-2024-35949 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.85 with commit 9dff3e36ea89e8003516841c27c45af562b6ef44
	Fixed in 6.8.10 with commit ef3ba8ce8cf7075b716aa4afcefc3034215878ee
	Fixed in 6.9 with commit e03418abde871314e1a3a550f4c8afb7b89cb273

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35949
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/tree-checker.c
	fs/btrfs/tree-checker.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9dff3e36ea89e8003516841c27c45af562b6ef44
	https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee
	https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273