| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024111931-CVE-2024-50273-6359@gregkh> Date: Tue, 19 Nov 2024 02:32:28 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-50273: btrfs: reinitialize delayed ref list after deleting it from the list Description =========== In the Linux kernel, the following vulnerability has been resolved: btrfs: reinitialize delayed ref list after deleting it from the list At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively. If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise. So fix this by deleting from the list with list_del_init() instead. The Linux kernel CVE team has assigned CVE-2024-50273 to this issue. Affected and fixed versions =========================== Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 4.19.324 with commit 2fd0948a483e Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 5.4.286 with commit 93c5b8decc0e Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 5.10.230 with commit bf0b0c6d1597 Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 5.15.172 with commit c24fa427fc0a Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 6.1.117 with commit 2cb1a73d1d44 Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 6.6.61 with commit f04be6d68f71 Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 6.11.8 with commit 50a3933760b4 Issue introduced in 4.10 with commit 1d57ee941692 and fixed in 6.12 with commit c9a75ec45f11 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-50273 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/btrfs/delayed-ref.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/2fd0948a483e9cb2d669c7199bc620a21c97673d https://git.kernel.org/stable/c/93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb https://git.kernel.org/stable/c/bf0b0c6d159767c0d1c21f793950d78486690ee0 https://git.kernel.org/stable/c/c24fa427fc0ae827b2a3a07f13738cbf82c3f851 https://git.kernel.org/stable/c/2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6 https://git.kernel.org/stable/c/f04be6d68f715c1473a8422fc0460f57b5e99931 https://git.kernel.org/stable/c/50a3933760b427759afdd23156a7280a19357a92 https://git.kernel.org/stable/c/c9a75ec45f1111ef530ab186c2a7684d0a0c9245
Powered by blists - more mailing lists