CVE-2024-26616

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned<br /> <br /> [BUG]<br /> There is a bug report that, on a ext4-converted btrfs, scrub leads to<br /> various problems, including:<br /> <br /> - "unable to find chunk map" errors<br /> BTRFS info (device vdb): scrub: started on devid 1<br /> BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 4096<br /> BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 45056<br /> <br /> This would lead to unrepariable errors.<br /> <br /> - Use-after-free KASAN reports:<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __blk_rq_map_sg+0x18f/0x7c0<br /> Read of size 8 at addr ffff8881013c9040 by task btrfs/909<br /> CPU: 0 PID: 909 Comm: btrfs Not tainted 6.7.0-x64v3-dbg #11 c50636e9419a8354555555245df535e380563b2b<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-2 12/24/2023<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x43/0x60<br /> print_report+0xcf/0x640<br /> kasan_report+0xa6/0xd0<br /> __blk_rq_map_sg+0x18f/0x7c0<br /> virtblk_prep_rq.isra.0+0x215/0x6a0 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]<br /> virtio_queue_rqs+0xc4/0x310 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]<br /> blk_mq_flush_plug_list.part.0+0x780/0x860<br /> __blk_flush_plug+0x1ba/0x220<br /> blk_finish_plug+0x3b/0x60<br /> submit_initial_group_read+0x10a/0x290 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]<br /> flush_scrub_stripes+0x38e/0x430 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]<br /> scrub_stripe+0x82a/0xae0 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]<br /> scrub_chunk+0x178/0x200 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]<br /> scrub_enumerate_chunks+0x4bc/0xa30 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]<br /> btrfs_scrub_dev+0x398/0x810 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]<br /> btrfs_ioctl+0x4b9/0x3020 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]<br /> __x64_sys_ioctl+0xbd/0x100<br /> do_syscall_64+0x5d/0xe0<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> RIP: 0033:0x7f47e5e0952b<br /> <br /> - Crash, mostly due to above use-after-free<br /> <br /> [CAUSE]<br /> The converted fs has the following data chunk layout:<br /> <br /> item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM 2214658048) itemoff 16025 itemsize 80<br /> length 86016 owner 2 stripe_len 65536 type DATA|single<br /> <br /> For above logical bytenr 2214744064, it&amp;#39;s at the chunk end<br /> (2214658048 + 86016 = 2214744064).<br /> <br /> This means btrfs_submit_bio() would split the bio, and trigger endio<br /> function for both of the two halves.<br /> <br /> However scrub_submit_initial_read() would only expect the endio function<br /> to be called once, not any more.<br /> This means the first endio function would already free the bbio::bio,<br /> leaving the bvec freed, thus the 2nd endio call would lead to<br /> use-after-free.<br /> <br /> [FIX]<br /> - Make sure scrub_read_endio() only updates bits in its range<br /> Since we may read less than 64K at the end of the chunk, we should not<br /> touch the bits beyond chunk boundary.<br /> <br /> - Make sure scrub_submit_initial_read() only to read the chunk range<br /> This is done by calculating the real number of sectors we need to<br /> read, and add sector-by-sector to the bio.<br /> <br /> Thankfully the scrub read repair path won&amp;#39;t need extra fixes:<br /> <br /> - scrub_stripe_submit_repair_read()<br /> With above fixes, we won&amp;#39;t update error bit for range beyond chunk,<br /> thus scrub_stripe_submit_repair_read() should never submit any read<br /> beyond the chunk.