| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024073030-vagabond-imprudent-8ea2@gregkh> Date: Tue, 30 Jul 2024 06:53:40 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: David Sterba <dsterba@...e.cz> Cc: cve@...nel.org, linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org Subject: Re: CVE-2024-41067: btrfs: scrub: handle RST lookup error correctly On Mon, Jul 29, 2024 at 10:55:03PM +0200, David Sterba wrote: > On Mon, Jul 29, 2024 at 04:58:13PM +0200, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > btrfs: scrub: handle RST lookup error correctly > > > > [BUG] > > When running btrfs/060 with forced RST feature, it would crash the > > following ASSERT() inside scrub_read_endio(): > > > > ASSERT(sector_nr < stripe->nr_sectors); > > > > Before that, we would have tree dump from > > btrfs_get_raid_extent_offset(), as we failed to find the RST entry for > > the range. > > > > [CAUSE] > > Inside scrub_submit_extent_sector_read() every time we allocated a new > > bbio we immediately called btrfs_map_block() to make sure there was some > > RST range covering the scrub target. > > > > But if btrfs_map_block() fails, we immediately call endio for the bbio, > > while the bbio is newly allocated, it's completely empty. > > > > Then inside scrub_read_endio(), we go through the bvecs to find > > the sector number (as bi_sector is no longer reliable if the bio is > > submitted to lower layers). > > > > And since the bio is empty, such bvecs iteration would not find any > > sector matching the sector, and return sector_nr == stripe->nr_sectors, > > triggering the ASSERT(). > > > > [FIX] > > Instead of calling btrfs_map_block() after allocating a new bbio, call > > btrfs_map_block() first. > > > > Since our only objective of calling btrfs_map_block() is only to update > > stripe_len, there is really no need to do that after btrfs_alloc_bio(). > > > > This new timing would avoid the problem of handling empty bbio > > completely, and in fact fixes a possible race window for the old code, > > where if the submission thread is the only owner of the pending_io, the > > scrub would never finish (since we didn't decrease the pending_io > > counter). > > > > Although the root cause of RST lookup failure still needs to be > > addressed. > > > > The Linux kernel CVE team has assigned CVE-2024-41067 to this issue. > > Please drop the CVE. It's a fix for feature that's still in development > and is not enabled on production kernels (requires CONFIG_BTRFS_DEBUG). We do not know people's use case, and can not "gate" CVE ids based on difference config options like this. > There was even a recent on-disk format change (mkfs required), this is > not really for environments where security matters. Thanks. It's a fix for a vulnerability, so I think it should stay assigned. If your system does not enable that config option, then there is nothing to worry about, right? thanks, greg k-h
Powered by blists - more mailing lists