{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()\n\n[BUG]\nThere is an internal report that KASAN is reporting use-after-free, with\nthe following backtrace:\n\n BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45\n CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n Call Trace:\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x5e/0x2f0\n print_report+0x118/0x216\n kasan_report+0x11d/0x1f0\n btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n process_one_work+0xce0/0x12a0\n worker_thread+0x717/0x1250\n kthread+0x2e3/0x3c0\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x11/0x20\n\n Allocated by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x7d/0x80\n kmem_cache_alloc_noprof+0x16e/0x3e0\n mempool_alloc_noprof+0x12e/0x310\n bio_alloc_bioset+0x3f0/0x7a0\n btrfs_bio_alloc+0x2e/0x50 [btrfs]\n submit_extent_page+0x4d1/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x4b/0x60\n kmem_cache_free+0x214/0x5d0\n bio_free+0xed/0x180\n end_bbio_data_read+0x1cc/0x580 [btrfs]\n btrfs_submit_chunk+0x98d/0x1880 [btrfs]\n btrfs_submit_bio+0x33/0x70 [btrfs]\n submit_one_bio+0xd4/0x130 [btrfs]\n submit_extent_page+0x3ea/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[CAUSE]\nAlthough I cannot reproduce the error, the report itself is good enough\nto pin down the cause.\n\nThe call trace is the regular endio workqueue context, but the\nfree-by-task trace is showing that during btrfs_submit_chunk() we\nalready hit a critical error, and is calling btrfs_bio_end_io() to error\nout. And the original endio function called bio_put() to free the whole\nbio.\n\nThis means a double freeing thus causing use-after-free, e.g.:\n\n1. Enter btrfs_submit_bio() with a read bio\n The read bio length is 128K, crossing two 64K stripes.\n\n2. The first run of btrfs_submit_chunk()\n\n2.1 Call btrfs_map_block(), which returns 64K\n2.2 Call btrfs_split_bio()\n Now there are two bios, one referring to the first 64K, the other\n referring to the second 64K.\n2.3 The first half is submitted.\n\n3. The second run of btrfs_submit_chunk()\n\n3.1 Call btrfs_map_block(), which by somehow failed\n Now we call btrfs_bio_end_io() to handle the error\n\n3.2 btrfs_bio_end_io() calls the original endio function\n Which is end_bbio_data_read(), and it calls bio_put() for the\n original bio.\n\n Now the original bio is freed.\n\n4. The submitted first 64K bio finished\n Now we call into btrfs_check_read_bio() and tries to advance the bio\n iter.\n But since the original bio (thus its iter) is already freed, we\n trigger the above use-after free.\n\n And even if the memory is not poisoned/corrupted, we will later call\n the original endio function, causing a double freeing.\n\n[FIX]\nInstead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),\nwhich has the extra check on split bios and do the pr\n---truncated---" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/btrfs/bio.c" ], "versions": [ { "version": "852eee62d31a", "lessThan": "51722b99f41f", "status": "affected", "versionType": "git" }, { "version": "852eee62d31a", "lessThan": "4a3b9e1a8e6c", "status": "affected", "versionType": "git" }, { "version": "852eee62d31a", "lessThan": "10d9d8c3512f", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/btrfs/bio.c" ], "versions": [ { "version": "6.3", "status": "affected" }, { "version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "custom" }, { "version": "6.6.49", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.10.8", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/51722b99f41f5e722ffa10b8f61e802a0e70b331" }, { "url": "https://git.kernel.org/stable/c/4a3b9e1a8e6cd1a8d427a905e159de58d38941cc" }, { "url": "https://git.kernel.org/stable/c/10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10" } ], "title": "btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()", "x_generator": { "engine": "bippy-c9c4e1df01b2" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2024-46687", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }