cve/published/2024/CVE-2024-35956.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35956: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations

 Create subvolume, create snapshot and delete subvolume all use
 btrfs_subvolume_reserve_metadata() to reserve metadata for the changes
 done to the parent subvolume's fs tree, which cannot be mediated in the
 normal way via start_transaction. When quota groups (squota or qgroups)
 are enabled, this reserves qgroup metadata of type PREALLOC. Once the
 operation is associated to a transaction, we convert PREALLOC to
 PERTRANS, which gets cleared in bulk at the end of the transaction.

 However, the error paths of these three operations were not implementing
 this lifecycle correctly. They unconditionally converted the PREALLOC to
 PERTRANS in a generic cleanup step regardless of errors or whether the
 operation was fully associated to a transaction or not. This resulted in
 error paths occasionally converting this rsv to PERTRANS without calling
 record_root_in_trans successfully, which meant that unless that root got
 recorded in the transaction by some other thread, the end of the
 transaction would not free that root's PERTRANS, leaking it. Ultimately,
 this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount
 for the leaked reservation.

 The fix is to ensure that every qgroup PREALLOC reservation observes the
 following properties:

 1. any failure before record_root_in_trans is called successfully
    results in freeing the PREALLOC reservation.
 2. after record_root_in_trans, we convert to PERTRANS, and now the
    transaction owns freeing the reservation.

 This patch enforces those properties on the three operations. Without
 it, generic/269 with squotas enabled at mkfs time would fail in ~5-10
 runs on my system. With this patch, it ran successfully 1000 times in a
 row.

 The Linux kernel CVE team has assigned CVE-2024-35956 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.1.120 with commit 945559be6e282a812dc48f7bcd5adc60901ea4a0
 	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.6.28 with commit 14431815a4ae4bcd7c7a68b6a64c66c7712d27c9
 	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.8.7 with commit 6c95336f5d8eb9ab79cd7306d71b6d0477363f8c
 	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.9 with commit 74e97958121aa1f5854da6effba70143f051b0cd
 	Issue introduced in 5.9.5 with commit 2978cb474745b2d93c263008d265e89985706094

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35956
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/inode.c
 	fs/btrfs/ioctl.c
 	fs/btrfs/root-tree.c
 	fs/btrfs/root-tree.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/945559be6e282a812dc48f7bcd5adc60901ea4a0
 	https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9
 	https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c
 	https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35956: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations

	Create subvolume, create snapshot and delete subvolume all use
	btrfs_subvolume_reserve_metadata() to reserve metadata for the changes
	done to the parent subvolume's fs tree, which cannot be mediated in the
	normal way via start_transaction. When quota groups (squota or qgroups)
	are enabled, this reserves qgroup metadata of type PREALLOC. Once the
	operation is associated to a transaction, we convert PREALLOC to
	PERTRANS, which gets cleared in bulk at the end of the transaction.

	However, the error paths of these three operations were not implementing
	this lifecycle correctly. They unconditionally converted the PREALLOC to
	PERTRANS in a generic cleanup step regardless of errors or whether the
	operation was fully associated to a transaction or not. This resulted in
	error paths occasionally converting this rsv to PERTRANS without calling
	record_root_in_trans successfully, which meant that unless that root got
	recorded in the transaction by some other thread, the end of the
	transaction would not free that root's PERTRANS, leaking it. Ultimately,
	this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount
	for the leaked reservation.

	The fix is to ensure that every qgroup PREALLOC reservation observes the
	following properties:

	1. any failure before record_root_in_trans is called successfully
	results in freeing the PREALLOC reservation.
	2. after record_root_in_trans, we convert to PERTRANS, and now the
	transaction owns freeing the reservation.

	This patch enforces those properties on the three operations. Without
	it, generic/269 with squotas enabled at mkfs time would fail in ~5-10
	runs on my system. With this patch, it ran successfully 1000 times in a
	row.

	The Linux kernel CVE team has assigned CVE-2024-35956 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.1.120 with commit 945559be6e282a812dc48f7bcd5adc60901ea4a0
	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.6.28 with commit 14431815a4ae4bcd7c7a68b6a64c66c7712d27c9
	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.8.7 with commit 6c95336f5d8eb9ab79cd7306d71b6d0477363f8c
	Issue introduced in 5.10 with commit e85fde5162bf1b242cbd6daf7dba0f9b457d592b and fixed in 6.9 with commit 74e97958121aa1f5854da6effba70143f051b0cd
	Issue introduced in 5.9.5 with commit 2978cb474745b2d93c263008d265e89985706094

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35956
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/inode.c
	fs/btrfs/ioctl.c
	fs/btrfs/root-tree.c
	fs/btrfs/root-tree.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/945559be6e282a812dc48f7bcd5adc60901ea4a0
	https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9
	https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c
	https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd