CVE-2025-21753
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/02/2025
Last modified:
24/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: fix use-after-free when attempting to join an aborted transaction<br />
<br />
When we are trying to join the current transaction and if it&#39;s aborted,<br />
we read its &#39;aborted&#39; field after unlocking fs_info->trans_lock and<br />
without holding any extra reference count on it. This means that a<br />
concurrent task that is aborting the transaction may free the transaction<br />
before we read its &#39;aborted&#39; field, leading to a use-after-free.<br />
<br />
Fix this by reading the &#39;aborted&#39; field while holding fs_info->trans_lock<br />
since any freeing task must first acquire that lock and set<br />
fs_info->running_transaction to NULL before freeing the transaction.<br />
<br />
This was reported by syzbot and Dmitry with the following stack traces<br />
from KASAN:<br />
<br />
==================================================================<br />
BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278<br />
Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128<br />
<br />
CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br />
Workqueue: events_unbound btrfs_async_reclaim_data_space<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:378 [inline]<br />
print_report+0x169/0x550 mm/kasan/report.c:489<br />
kasan_report+0x143/0x180 mm/kasan/report.c:602<br />
join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278<br />
start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697<br />
flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803<br />
btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321<br />
process_one_work kernel/workqueue.c:3236 [inline]<br />
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317<br />
worker_thread+0x870/0xd30 kernel/workqueue.c:3398<br />
kthread+0x2f0/0x390 kernel/kthread.c:389<br />
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br />
<br />
<br />
Allocated by task 5315:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br />
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br />
kasan_kmalloc include/linux/kasan.h:260 [inline]<br />
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329<br />
kmalloc_noprof include/linux/slab.h:901 [inline]<br />
join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308<br />
start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697<br />
btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572<br />
lookup_open fs/namei.c:3649 [inline]<br />
open_last_lookups fs/namei.c:3748 [inline]<br />
path_openat+0x1c03/0x3590 fs/namei.c:3984<br />
do_filp_open+0x27f/0x4e0 fs/namei.c:4014<br />
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402<br />
do_sys_open fs/open.c:1417 [inline]<br />
__do_sys_creat fs/open.c:1495 [inline]<br />
__se_sys_creat fs/open.c:1489 [inline]<br />
__x64_sys_creat+0x123/0x170 fs/open.c:1489<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Freed by task 5336:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582<br />
poison_slab_object mm/kasan/common.c:247 [inline]<br />
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264<br />
kasan_slab_free include/linux/kasan.h:233 [inline]<br />
slab_free_hook mm/slub.c:2353 [inline]<br />
slab_free mm/slub.c:4613 [inline]<br />
kfree+0x196/0x430 mm/slub.c:4761<br />
cleanup_transaction fs/btrfs/transaction.c:2063 [inline]<br />
btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598<br />
insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757<br />
btrfs_balance+0x992/<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.4 (including) | 5.4.291 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.235 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.179 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.129 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.78 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec
- https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc
- https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca
- https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01
- https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec
- https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7
- https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753
- https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63