Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26792

Severity CVSS v4.0:
Pending analysis
Type:
CWE-415 Double Free
Publication date:
04/04/2024
Last modified:
20/12/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix double free of anonymous device after snapshot creation failure<br /> <br /> When creating a snapshot we may do a double free of an anonymous device<br /> in case there&amp;#39;s an error committing the transaction. The second free may<br /> result in freeing an anonymous device number that was allocated by some<br /> other subsystem in the kernel or another btrfs filesystem.<br /> <br /> The steps that lead to this:<br /> <br /> 1) At ioctl.c:create_snapshot() we allocate an anonymous device number<br /> and assign it to pending_snapshot-&gt;anon_dev;<br /> <br /> 2) Then we call btrfs_commit_transaction() and end up at<br /> transaction.c:create_pending_snapshot();<br /> <br /> 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device<br /> number stored in pending_snapshot-&gt;anon_dev;<br /> <br /> 4) btrfs_get_new_fs_root() frees that anonymous device number because<br /> btrfs_lookup_fs_root() returned a root - someone else did a lookup<br /> of the new root already, which could some task doing backref walking;<br /> <br /> 5) After that some error happens in the transaction commit path, and at<br /> ioctl.c:create_snapshot() we jump to the &amp;#39;fail&amp;#39; label, and after<br /> that we free again the same anonymous device number, which in the<br /> meanwhile may have been reallocated somewhere else, because<br /> pending_snapshot-&gt;anon_dev still has the same value as in step 1.<br /> <br /> Recently syzbot ran into this and reported the following trace:<br /> <br /> ------------[ cut here ]------------<br /> ida_free called for id=51 which is not allocated.<br /> WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525<br /> Modules linked in:<br /> CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525<br /> Code: 10 42 80 3c 28 (...)<br /> RSP: 0018:ffffc90015a67300 EFLAGS: 00010246<br /> RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000<br /> RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000<br /> RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4<br /> R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246<br /> R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246<br /> FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346<br /> create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837<br /> create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931<br /> btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404<br /> create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848<br /> btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998<br /> btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044<br /> __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306<br /> btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393<br /> btrfs_ioctl+0xa74/0xd40<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:871 [inline]<br /> __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857<br /> do_syscall_64+0xfb/0x240<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> RIP: 0033:0x7fca3e67dda9<br /> Code: 28 00 00 00 (...)<br /> RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9<br /> RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003<br /> RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658<br /> <br /> <br /> Where we get an explicit message where we attempt to free an anonymous<br /> device number that is not currently allocated. It happens in a different<br /> code path from the example below, at btrfs_get_root_ref(), so this change<br /> may not fix the case triggered by sy<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.210 (including) 5.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.149 (including) 5.16 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.79 (including) 6.1.81 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.18 (including) 6.6.21 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7.6 (including) 6.7.9 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools