cve/published/2024/CVE-2024-57806.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57806: btrfs: fix transaction atomicity bug when enabling simple quotas

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: fix transaction atomicity bug when enabling simple quotas

 Set squota incompat bit before committing the transaction that enables
 the feature.

 With the config CONFIG_BTRFS_ASSERT enabled, an assertion
 failure occurs regarding the simple quota feature.

   [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365
   [5.597098] ------------[ cut here ]------------
   [5.597371] kernel BUG at fs/btrfs/qgroup.c:365!
   [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146
   [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
   [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0
   [5.604303]  <TASK>
   [5.605230]  ? btrfs_read_qgroup_config+0x74d/0x7a0
   [5.605538]  ? exc_invalid_op+0x56/0x70
   [5.605775]  ? btrfs_read_qgroup_config+0x74d/0x7a0
   [5.606066]  ? asm_exc_invalid_op+0x1f/0x30
   [5.606441]  ? btrfs_read_qgroup_config+0x74d/0x7a0
   [5.606741]  ? btrfs_read_qgroup_config+0x74d/0x7a0
   [5.607038]  ? try_to_wake_up+0x317/0x760
   [5.607286]  open_ctree+0xd9c/0x1710
   [5.607509]  btrfs_get_tree+0x58a/0x7e0
   [5.608002]  vfs_get_tree+0x2e/0x100
   [5.608224]  fc_mount+0x16/0x60
   [5.608420]  btrfs_get_tree+0x2f8/0x7e0
   [5.608897]  vfs_get_tree+0x2e/0x100
   [5.609121]  path_mount+0x4c8/0xbc0
   [5.609538]  __x64_sys_mount+0x10d/0x150

 The issue can be easily reproduced using the following reproducer:

   root@q:linux# cat repro.sh
   set -e

   mkfs.btrfs -q -f /dev/sdb
   mount /dev/sdb /mnt/btrfs
   btrfs quota enable -s /mnt/btrfs
   umount /mnt/btrfs
   mount /dev/sdb /mnt/btrfs

 The issue is that when enabling quotas, at btrfs_quota_enable(), we set
 BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist
 it in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but
 we only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we
 commit the transaction used to enable simple quotas.

 This means that if after that transaction commit we unmount the filesystem
 without starting and committing any other transaction, or we have a power
 failure, the next time we mount the filesystem we will find the flag
 BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key
 BTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit
 BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an
 assertion failure at:

   btrfs_read_qgroup_config() -> qgroup_read_enable_gen()

 To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag
 immediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE.
 This ensures that both flags are flushed to disk within the same
 transaction.

 The Linux kernel CVE team has assigned CVE-2024-57806 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit 182940f4f4dbd932776414744c8de64333957725 and fixed in 6.12.8 with commit b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed
 	Issue introduced in 6.7 with commit 182940f4f4dbd932776414744c8de64333957725 and fixed in 6.13 with commit f2363e6fcc7938c5f0f6ac066fad0dd247598b51

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57806
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/qgroup.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed
 	https://git.kernel.org/stable/c/f2363e6fcc7938c5f0f6ac066fad0dd247598b51
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57806: btrfs: fix transaction atomicity bug when enabling simple quotas

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: fix transaction atomicity bug when enabling simple quotas

	Set squota incompat bit before committing the transaction that enables
	the feature.

	With the config CONFIG_BTRFS_ASSERT enabled, an assertion
	failure occurs regarding the simple quota feature.

	[5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365
	[5.597098] ------------[ cut here ]------------
	[5.597371] kernel BUG at fs/btrfs/qgroup.c:365!
	[5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146
	[5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
	[5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0
	[5.604303] <TASK>
	[5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0
	[5.605538] ? exc_invalid_op+0x56/0x70
	[5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0
	[5.606066] ? asm_exc_invalid_op+0x1f/0x30
	[5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0
	[5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0
	[5.607038] ? try_to_wake_up+0x317/0x760
	[5.607286] open_ctree+0xd9c/0x1710
	[5.607509] btrfs_get_tree+0x58a/0x7e0
	[5.608002] vfs_get_tree+0x2e/0x100
	[5.608224] fc_mount+0x16/0x60
	[5.608420] btrfs_get_tree+0x2f8/0x7e0
	[5.608897] vfs_get_tree+0x2e/0x100
	[5.609121] path_mount+0x4c8/0xbc0
	[5.609538] __x64_sys_mount+0x10d/0x150

	The issue can be easily reproduced using the following reproducer:

	root@q:linux# cat repro.sh
	set -e

	mkfs.btrfs -q -f /dev/sdb
	mount /dev/sdb /mnt/btrfs
	btrfs quota enable -s /mnt/btrfs
	umount /mnt/btrfs
	mount /dev/sdb /mnt/btrfs

	The issue is that when enabling quotas, at btrfs_quota_enable(), we set
	BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist
	it in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but
	we only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we
	commit the transaction used to enable simple quotas.

	This means that if after that transaction commit we unmount the filesystem
	without starting and committing any other transaction, or we have a power
	failure, the next time we mount the filesystem we will find the flag
	BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key
	BTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit
	BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an
	assertion failure at:

	btrfs_read_qgroup_config() -> qgroup_read_enable_gen()

	To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag
	immediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE.
	This ensures that both flags are flushed to disk within the same
	transaction.

	The Linux kernel CVE team has assigned CVE-2024-57806 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit 182940f4f4dbd932776414744c8de64333957725 and fixed in 6.12.8 with commit b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed
	Issue introduced in 6.7 with commit 182940f4f4dbd932776414744c8de64333957725 and fixed in 6.13 with commit f2363e6fcc7938c5f0f6ac066fad0dd247598b51

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57806
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/qgroup.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed
	https://git.kernel.org/stable/c/f2363e6fcc7938c5f0f6ac066fad0dd247598b51