CVE-2024-46687
Publication date:
13/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()<br />
<br />
[BUG]<br />
There is an internal report that KASAN is reporting use-after-free, with<br />
the following backtrace:<br />
<br />
BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]<br />
Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45<br />
CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014<br />
Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br />
Call Trace:<br />
dump_stack_lvl+0x61/0x80<br />
print_address_description.constprop.0+0x5e/0x2f0<br />
print_report+0x118/0x216<br />
kasan_report+0x11d/0x1f0<br />
btrfs_check_read_bio+0xa68/0xb70 [btrfs]<br />
process_one_work+0xce0/0x12a0<br />
worker_thread+0x717/0x1250<br />
kthread+0x2e3/0x3c0<br />
ret_from_fork+0x2d/0x70<br />
ret_from_fork_asm+0x11/0x20<br />
<br />
Allocated by task 20917:<br />
kasan_save_stack+0x37/0x60<br />
kasan_save_track+0x10/0x30<br />
__kasan_slab_alloc+0x7d/0x80<br />
kmem_cache_alloc_noprof+0x16e/0x3e0<br />
mempool_alloc_noprof+0x12e/0x310<br />
bio_alloc_bioset+0x3f0/0x7a0<br />
btrfs_bio_alloc+0x2e/0x50 [btrfs]<br />
submit_extent_page+0x4d1/0xdb0 [btrfs]<br />
btrfs_do_readpage+0x8b4/0x12a0 [btrfs]<br />
btrfs_readahead+0x29a/0x430 [btrfs]<br />
read_pages+0x1a7/0xc60<br />
page_cache_ra_unbounded+0x2ad/0x560<br />
filemap_get_pages+0x629/0xa20<br />
filemap_read+0x335/0xbf0<br />
vfs_read+0x790/0xcb0<br />
ksys_read+0xfd/0x1d0<br />
do_syscall_64+0x6d/0x140<br />
entry_SYSCALL_64_after_hwframe+0x4b/0x53<br />
<br />
Freed by task 20917:<br />
kasan_save_stack+0x37/0x60<br />
kasan_save_track+0x10/0x30<br />
kasan_save_free_info+0x37/0x50<br />
__kasan_slab_free+0x4b/0x60<br />
kmem_cache_free+0x214/0x5d0<br />
bio_free+0xed/0x180<br />
end_bbio_data_read+0x1cc/0x580 [btrfs]<br />
btrfs_submit_chunk+0x98d/0x1880 [btrfs]<br />
btrfs_submit_bio+0x33/0x70 [btrfs]<br />
submit_one_bio+0xd4/0x130 [btrfs]<br />
submit_extent_page+0x3ea/0xdb0 [btrfs]<br />
btrfs_do_readpage+0x8b4/0x12a0 [btrfs]<br />
btrfs_readahead+0x29a/0x430 [btrfs]<br />
read_pages+0x1a7/0xc60<br />
page_cache_ra_unbounded+0x2ad/0x560<br />
filemap_get_pages+0x629/0xa20<br />
filemap_read+0x335/0xbf0<br />
vfs_read+0x790/0xcb0<br />
ksys_read+0xfd/0x1d0<br />
do_syscall_64+0x6d/0x140<br />
entry_SYSCALL_64_after_hwframe+0x4b/0x53<br />
<br />
[CAUSE]<br />
Although I cannot reproduce the error, the report itself is good enough<br />
to pin down the cause.<br />
<br />
The call trace is the regular endio workqueue context, but the<br />
free-by-task trace is showing that during btrfs_submit_chunk() we<br />
already hit a critical error, and is calling btrfs_bio_end_io() to error<br />
out. And the original endio function called bio_put() to free the whole<br />
bio.<br />
<br />
This means a double freeing thus causing use-after-free, e.g.:<br />
<br />
1. Enter btrfs_submit_bio() with a read bio<br />
The read bio length is 128K, crossing two 64K stripes.<br />
<br />
2. The first run of btrfs_submit_chunk()<br />
<br />
2.1 Call btrfs_map_block(), which returns 64K<br />
2.2 Call btrfs_split_bio()<br />
Now there are two bios, one referring to the first 64K, the other<br />
referring to the second 64K.<br />
2.3 The first half is submitted.<br />
<br />
3. The second run of btrfs_submit_chunk()<br />
<br />
3.1 Call btrfs_map_block(), which by somehow failed<br />
Now we call btrfs_bio_end_io() to handle the error<br />
<br />
3.2 btrfs_bio_end_io() calls the original endio function<br />
Which is end_bbio_data_read(), and it calls bio_put() for the<br />
original bio.<br />
<br />
Now the original bio is freed.<br />
<br />
4. The submitted first 64K bio finished<br />
Now we call into btrfs_check_read_bio() and tries to advance the bio<br />
iter.<br />
But since the original bio (thus its iter) is already freed, we<br />
trigger the above use-after free.<br />
<br />
And even if the memory is not poisoned/corrupted, we will later call<br />
the original endio function, causing a double freeing.<br />
<br />
[FIX]<br />
Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),<br />
which has the extra check on split bios and do the pr<br />
---truncated---
Severity:
HIGH
Last modification:
14/09/2024