CVE-2024-49869

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: send: fix buffer overflow detection when copying path to cache entry<br /> <br /> Starting with commit c0247d289e73 ("btrfs: send: annotate struct<br /> name_cache_entry with __counted_by()") we annotated the variable length<br /> array "name" from the name_cache_entry structure with __counted_by() to<br /> improve overflow detection. However that alone was not correct, because<br /> the length of that array does not match the "name_len" field - it matches<br /> that plus 1 to include the NUL string terminator, so that makes a<br /> fortified kernel think there&amp;#39;s an overflow and report a splat like this:<br /> <br /> strcpy: detected buffer overflow: 20 byte write of buffer size 19<br /> WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50<br /> CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1<br /> Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018<br /> RIP: 0010:__fortify_report+0x45/0x50<br /> Code: 48 8b 34 (...)<br /> RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246<br /> RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027<br /> RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8<br /> RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd<br /> R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400<br /> R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8<br /> FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0<br /> Call Trace:<br /> <br /> ? __warn+0x12a/0x1d0<br /> ? __fortify_report+0x45/0x50<br /> ? report_bug+0x154/0x1c0<br /> ? handle_bug+0x42/0x70<br /> ? exc_invalid_op+0x1a/0x50<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? __fortify_report+0x45/0x50<br /> __fortify_panic+0x9/0x10<br /> __get_cur_name_and_parent+0x3bc/0x3c0<br /> get_cur_path+0x207/0x3b0<br /> send_extent_data+0x709/0x10d0<br /> ? find_parent_nodes+0x22df/0x25d0<br /> ? mas_nomem+0x13/0x90<br /> ? mtree_insert_range+0xa5/0x110<br /> ? btrfs_lru_cache_store+0x5f/0x1e0<br /> ? iterate_extent_inodes+0x52d/0x5a0<br /> process_extent+0xa96/0x11a0<br /> ? __pfx_lookup_backref_cache+0x10/0x10<br /> ? __pfx_store_backref_cache+0x10/0x10<br /> ? __pfx_iterate_backrefs+0x10/0x10<br /> ? __pfx_check_extent_item+0x10/0x10<br /> changed_cb+0x6fa/0x930<br /> ? tree_advance+0x362/0x390<br /> ? memcmp_extent_buffer+0xd7/0x160<br /> send_subvol+0xf0a/0x1520<br /> btrfs_ioctl_send+0x106b/0x11d0<br /> ? __pfx___clone_root_cmp_sort+0x10/0x10<br /> _btrfs_ioctl_send+0x1ac/0x240<br /> btrfs_ioctl+0x75b/0x850<br /> __se_sys_ioctl+0xca/0x150<br /> do_syscall_64+0x85/0x160<br /> ? __count_memcg_events+0x69/0x100<br /> ? handle_mm_fault+0x1327/0x15c0<br /> ? __se_sys_rt_sigprocmask+0xf1/0x180<br /> ? syscall_exit_to_user_mode+0x75/0xa0<br /> ? do_syscall_64+0x91/0x160<br /> ? do_user_addr_fault+0x21d/0x630<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7fae145eeb4f<br /> Code: 00 48 89 (...)<br /> RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f<br /> RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004<br /> RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927<br /> R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8<br /> R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004<br /> <br /> <br /> Fix this by not storing the NUL string terminator since we don&amp;#39;t actually<br /> need it for name cache entries, this way "name_len" corresponds to the<br /> actual size of the "name" array. This requires marking the "name" array<br /> field with __nonstring and using memcpy() instead of strcpy() as<br /> recommended by the guidelines at:<br /> <br /> https://github.com/KSPP/linux/issues/90