cve/published/2024/CVE-2024-41067.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41067: btrfs: scrub: handle RST lookup error correctly

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: scrub: handle RST lookup error correctly

 [BUG]
 When running btrfs/060 with forced RST feature, it would crash the
 following ASSERT() inside scrub_read_endio():

 	ASSERT(sector_nr < stripe->nr_sectors);

 Before that, we would have tree dump from
 btrfs_get_raid_extent_offset(), as we failed to find the RST entry for
 the range.

 [CAUSE]
 Inside scrub_submit_extent_sector_read() every time we allocated a new
 bbio we immediately called btrfs_map_block() to make sure there was some
 RST range covering the scrub target.

 But if btrfs_map_block() fails, we immediately call endio for the bbio,
 while the bbio is newly allocated, it's completely empty.

 Then inside scrub_read_endio(), we go through the bvecs to find
 the sector number (as bi_sector is no longer reliable if the bio is
 submitted to lower layers).

 And since the bio is empty, such bvecs iteration would not find any
 sector matching the sector, and return sector_nr == stripe->nr_sectors,
 triggering the ASSERT().

 [FIX]
 Instead of calling btrfs_map_block() after allocating a new bbio, call
 btrfs_map_block() first.

 Since our only objective of calling btrfs_map_block() is only to update
 stripe_len, there is really no need to do that after btrfs_alloc_bio().

 This new timing would avoid the problem of handling empty bbio
 completely, and in fact fixes a possible race window for the old code,
 where if the submission thread is the only owner of the pending_io, the
 scrub would never finish (since we didn't decrease the pending_io
 counter).

 Although the root cause of RST lookup failure still needs to be
 addressed.

 The Linux kernel CVE team has assigned CVE-2024-41067 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.9.11 with commit 17d1fd302a53d7e456a7412da74be74a0cf63a72
 	Fixed in 6.10 with commit 2c49908634a2b97b1c3abe0589be2739ac5e7fd5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41067
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/scrub.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72
 	https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41067: btrfs: scrub: handle RST lookup error correctly

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: scrub: handle RST lookup error correctly

	[BUG]
	When running btrfs/060 with forced RST feature, it would crash the
	following ASSERT() inside scrub_read_endio():

	ASSERT(sector_nr < stripe->nr_sectors);

	Before that, we would have tree dump from
	btrfs_get_raid_extent_offset(), as we failed to find the RST entry for
	the range.

	[CAUSE]
	Inside scrub_submit_extent_sector_read() every time we allocated a new
	bbio we immediately called btrfs_map_block() to make sure there was some
	RST range covering the scrub target.

	But if btrfs_map_block() fails, we immediately call endio for the bbio,
	while the bbio is newly allocated, it's completely empty.

	Then inside scrub_read_endio(), we go through the bvecs to find
	the sector number (as bi_sector is no longer reliable if the bio is
	submitted to lower layers).

	And since the bio is empty, such bvecs iteration would not find any
	sector matching the sector, and return sector_nr == stripe->nr_sectors,
	triggering the ASSERT().

	[FIX]
	Instead of calling btrfs_map_block() after allocating a new bbio, call
	btrfs_map_block() first.

	Since our only objective of calling btrfs_map_block() is only to update
	stripe_len, there is really no need to do that after btrfs_alloc_bio().

	This new timing would avoid the problem of handling empty bbio
	completely, and in fact fixes a possible race window for the old code,
	where if the submission thread is the only owner of the pending_io, the
	scrub would never finish (since we didn't decrease the pending_io
	counter).

	Although the root cause of RST lookup failure still needs to be
	addressed.

	The Linux kernel CVE team has assigned CVE-2024-41067 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.9.11 with commit 17d1fd302a53d7e456a7412da74be74a0cf63a72
	Fixed in 6.10 with commit 2c49908634a2b97b1c3abe0589be2739ac5e7fd5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41067
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/scrub.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72
	https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5