CVE-2021-46958
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/02/2024
Last modified:
11/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: fix race between transaction aborts and fsyncs leading to use-after-free<br />
<br />
There is a race between a task aborting a transaction during a commit,<br />
a task doing an fsync and the transaction kthread, which leads to an<br />
use-after-free of the log root tree. When this happens, it results in a<br />
stack trace like the following:<br />
<br />
BTRFS info (device dm-0): forced readonly<br />
BTRFS warning (device dm-0): Skipping commit of aborted transaction.<br />
BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure<br />
BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)<br />
BTRFS warning (device dm-0): Skipping commit of aborted transaction.<br />
BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10<br />
BTRFS error (device dm-0): error writing primary super block to device 1<br />
BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10<br />
BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10<br />
BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10<br />
BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)<br />
BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure<br />
general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI<br />
CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br />
RIP: 0010:__mutex_lock+0x139/0xa40<br />
Code: c0 74 19 (...)<br />
RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202<br />
RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002<br />
RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000<br />
RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000<br />
R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040<br />
R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358<br />
FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
? __btrfs_handle_fs_error+0xde/0x146 [btrfs]<br />
? btrfs_sync_log+0x7c1/0xf20 [btrfs]<br />
? btrfs_sync_log+0x7c1/0xf20 [btrfs]<br />
btrfs_sync_log+0x7c1/0xf20 [btrfs]<br />
btrfs_sync_file+0x40c/0x580 [btrfs]<br />
do_fsync+0x38/0x70<br />
__x64_sys_fsync+0x10/0x20<br />
do_syscall_64+0x33/0x80<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
RIP: 0033:0x7fa9142a55c3<br />
Code: 8b 15 09 (...)<br />
RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a<br />
RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3<br />
RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005<br />
RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340<br />
R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0<br />
Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)<br />
---[ end trace ee2f1b19327d791d ]---<br />
<br />
The steps that lead to this crash are the following:<br />
<br />
1) We are at transaction N;<br />
<br />
2) We have two tasks with a transaction handle attached to transaction N.<br />
Task A and Task B. Task B is doing an fsync;<br />
<br />
3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree<br />
into a local variable named &#39;log_root_tree&#39; at the top of<br />
btrfs_sync_log(). Task B is about to call write_all_supers(), but<br />
before that...<br />
<br />
4) Task A calls btrfs_commit_transaction(), and after it sets the<br />
transaction state to TRANS_STATE_COMMIT_START, an error happens before<br />
it w<br />
---truncated---
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.7 (including) | 5.10.36 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.11.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12 (including) | 5.12.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c
- https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c
- https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6
- https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338
- https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c
- https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c
- https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6
- https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338