| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122437-CVE-2023-54032-cb33@gregkh> Date: Wed, 24 Dec 2025 11:57:16 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-54032: btrfs: fix race when deleting quota root from the dirty cow roots list From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting quota root from the dirty cow roots list When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the quota root from that list. The Linux kernel CVE team has assigned CVE-2023-54032 to this issue. Affected and fixed versions =========================== Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 4.14.322 with commit 365f318da7384cbac5de6b9c098914888a4d63e7 Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 4.19.291 with commit 6da229754099518cfa27cbfcd0fd042618785fad Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 5.4.251 with commit 679c34821ab7cd93c8ccb96fbf57fc44848a78bc Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 5.10.188 with commit 6819bb0b8552dcc5f82ca606c8911b8c67e0628f Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 5.15.121 with commit 7ba0da31dd4a8fd24d416016c538a95a5664ff02 Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 6.1.39 with commit a53d78d9a8551e72c46ded23e8b0a56e55d32032 Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 6.4.4 with commit a5cdc4012efa808e07d073c11dc2f366b5394ad3 Issue introduced in 3.6 with commit bed92eae26ccf280d1a2168b7509447b56675a27 and fixed in 6.5 with commit b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54032 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/btrfs/qgroup.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7 https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02 https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032 https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3 https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79
Powered by blists - more mailing lists