CVE-2023-54080

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: zoned: skip splitting and logical rewriting on pre-alloc write<br /> <br /> When doing a relocation, there is a chance that at the time of<br /> btrfs_reloc_clone_csums(), there is no checksum for the corresponding<br /> region.<br /> <br /> In this case, btrfs_finish_ordered_zoned()&amp;#39;s sum points to an invalid item<br /> and so ordered_extent&amp;#39;s logical is set to some invalid value. Then,<br /> btrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a<br /> block group and will hit an assert or a null pointer dereference as<br /> following.<br /> <br /> This can be reprodcued by running btrfs/028 several times (e.g, 4 to 16<br /> times) with a null_blk setup. The device&amp;#39;s zone size and capacity is set to<br /> 32 MB and the storage size is set to 5 GB on my setup.<br /> <br /> KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]<br /> CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1<br /> Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015<br /> Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]<br /> RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]<br /> Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00<br /> &gt; 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00<br /> RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206<br /> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088<br /> RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827<br /> R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000<br /> R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0<br /> Call Trace:<br /> <br /> ? die_addr+0x3c/0xa0<br /> ? exc_general_protection+0x148/0x220<br /> ? asm_exc_general_protection+0x22/0x30<br /> ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]<br /> ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs]<br /> btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs]<br /> ? rcu_is_watching+0x11/0xb0<br /> ? lock_release+0x47a/0x620<br /> ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs]<br /> ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]<br /> ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs]<br /> ? __smp_call_single_queue+0x124/0x350<br /> ? rcu_is_watching+0x11/0xb0<br /> btrfs_work_helper+0x19f/0xc60 [btrfs]<br /> ? __pfx_try_to_wake_up+0x10/0x10<br /> ? _raw_spin_unlock_irq+0x24/0x50<br /> ? rcu_is_watching+0x11/0xb0<br /> process_one_work+0x8c1/0x1430<br /> ? __pfx_lock_acquire+0x10/0x10<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? __pfx_do_raw_spin_lock+0x10/0x10<br /> ? _raw_spin_lock_irq+0x52/0x60<br /> worker_thread+0x100/0x12c0<br /> ? __kthread_parkme+0xc1/0x1f0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x2ea/0x3c0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x30/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> <br /> On the zoned mode, writing to pre-allocated region means data relocation<br /> write. Such write always uses WRITE command so there is no need of splitting<br /> and rewriting logical address. Thus, we can just skip the function for the<br /> case.