| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-49868: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| btrfs: fix a NULL pointer dereference when failed to start a new trasacntion |
| |
| [BUG] |
| Syzbot reported a NULL pointer dereference with the following crash: |
| |
| FAULT_INJECTION: forcing a failure. |
| start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 |
| prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 |
| relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 |
| ... |
| BTRFS info (device loop0): balance: ended with status: -12 |
| Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI |
| KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667] |
| RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926 |
| Call Trace: |
| <TASK> |
| commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496 |
| btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430 |
| del_balance_item fs/btrfs/volumes.c:3678 [inline] |
| reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742 |
| btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574 |
| btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 |
| vfs_ioctl fs/ioctl.c:51 [inline] |
| __do_sys_ioctl fs/ioctl.c:907 [inline] |
| __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 |
| do_syscall_x64 arch/x86/entry/common.c:52 [inline] |
| do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 |
| entry_SYSCALL_64_after_hwframe+0x77/0x7f |
| |
| [CAUSE] |
| The allocation failure happens at the start_transaction() inside |
| prepare_to_relocate(), and during the error handling we call |
| unset_reloc_control(), which makes fs_info->balance_ctl to be NULL. |
| |
| Then we continue the error path cleanup in btrfs_balance() by calling |
| reset_balance_state() which will call del_balance_item() to fully delete |
| the balance item in the root tree. |
| |
| However during the small window between set_reloc_contrl() and |
| unset_reloc_control(), we can have a subvolume tree update and created a |
| reloc_root for that subvolume. |
| |
| Then we go into the final btrfs_commit_transaction() of |
| del_balance_item(), and into btrfs_update_reloc_root() inside |
| commit_fs_roots(). |
| |
| That function checks if fs_info->reloc_ctl is in the merge_reloc_tree |
| stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer |
| dereference. |
| |
| [FIX] |
| Just add extra check on fs_info->reloc_ctl inside |
| btrfs_update_reloc_root(), before checking |
| fs_info->reloc_ctl->merge_reloc_tree. |
| |
| That DEAD_RELOC_TREE handling is to prevent further modification to the |
| reloc tree during merge stage, but since there is no reloc_ctl at all, |
| we do not need to bother that. |
| |
| The Linux kernel CVE team has assigned CVE-2024-49868 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.4.285 with commit 1282f001cbf56e5dd6e90a18e205a566793f4be0 |
| Fixed in 5.10.227 with commit d73d48acf36f57362df7e4f9d76568168bf5e944 |
| Fixed in 5.15.168 with commit 37fee9c220b92c3b7bf22b51c51dde5364e7590b |
| Fixed in 6.1.113 with commit d13249c0df7aab885acb149695f82c54c0822a70 |
| Fixed in 6.6.55 with commit 7ad0c5868f2f0418619089513d95230c66cb7eb4 |
| Fixed in 6.10.14 with commit dc02c1440705e3451abd1c2c8114a5c1bb188e9f |
| Fixed in 6.11.3 with commit 39356ec0e319ed07627b3a0f402d0608546509e6 |
| Fixed in 6.12 with commit c3b47f49e83197e8dffd023ec568403bcdbb774b |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-49868 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/btrfs/relocation.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0 |
| https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944 |
| https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b |
| https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70 |
| https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4 |
| https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f |
| https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6 |
| https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b |
