CVE-2024-42103

{"id": "CVE-2024-42103", "cveTags": [], "metrics": {}, "published": "2024-07-30T08:15:02.817", "references": [{"url": "https://git.kernel.org/stable/c/326fa14549d7969ef80d3f5beea5470cd1c8e67f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/48f091fd50b2eb33ae5eaea9ed3c4f81603acf38", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/522b39bd7163e8dc49f8cf10b9b782218ac48746", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa1d8cc0cc500e06b316cd6732d4e6c1388fe33c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f8e960be923f74a273c62478c9cab9523936752b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix adding block group to a reclaim list and the unused list during reclaim\n\nThere is a potential parallel list adding for retrying in\nbtrfs_reclaim_bgs_work and adding to the unused list. Since the block\ngroup is removed from the reclaim list and it is on a relocation work,\nit can be added into the unused list in parallel. When that happens,\nadding it to the reclaim list will corrupt the list head and trigger\nlist corruption like below.\n\nFix it by taking fs_info->unused_bgs_lock.\n\n [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104\n [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0)\n [177.529][T2585409] ------------[ cut here ]------------\n [177.537][T2585409] kernel BUG at lib/list_debug.c:65!\n [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1\n [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022\n [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs]\n [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72\n [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286\n [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000\n [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40\n [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08\n [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0\n [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000\n [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000\n [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0\n [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000\n [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400\n [177.742][T2585409] PKRU: 55555554\n [177.748][T2585409] Call Trace:\n [177.753][T2585409] <TASK>\n [177.759][T2585409] ? __die_body.cold+0x19/0x27\n [177.766][T2585409] ? die+0x2e/0x50\n [177.772][T2585409] ? do_trap+0x1ea/0x2d0\n [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.788][T2585409] ? do_error_trap+0xa3/0x160\n [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.805][T2585409] ? handle_invalid_op+0x2c/0x40\n [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.820][T2585409] ? exc_invalid_op+0x2d/0x40\n [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20\n [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs]\n\nThere is a similar retry_list code in btrfs_delete_unused_bgs(), but it is\nsafe, AFAICS. Since the block group was in the unused list, the used bytes\nshould be 0 when it was added to the unused list. Then, it checks\nblock_group->{used,reserved,pinned} are still 0 under the\nblock_group->lock. So, they should be still eligible for the unused list,\nnot the reclaim list.\n\nThe reason it is safe there it's because because we're holding\nspace_info->groups_sem in write mode.\n\nThat means no other task can allocate from the block group, so while we\nare at deleted_unused_bgs() it's not possible for other tasks to\nallocate and deallocate extents from the block group, so it can't be\nadded to the unused list or the reclaim list by anyone else.\n\nThe bug can be reproduced by btrfs/166 after a few rounds. In practice\nthis can be hit when relocation cannot find more chunk space and ends\nwith ENOSPC."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige la adici\u00f3n de un grupo de bloques a una lista de recuperaci\u00f3n y la lista no utilizada durante la recuperaci\u00f3n. Existe una posible adici\u00f3n de lista paralela para volver a intentarlo en btrfs_reclaim_bgs_work y agregarla a la lista no utilizada. Dado que el grupo de bloques se elimina de la lista de recuperaci\u00f3n y se encuentra en un trabajo de reubicaci\u00f3n, se puede agregar a la lista no utilizada en paralelo. Cuando eso sucede, agregarlo a la lista de recuperaci\u00f3n da\u00f1ar\u00e1 el encabezado de la lista y provocar\u00e1 una corrupci\u00f3n en la lista como se muestra a continuaci\u00f3n. Solucionarlo tomando fs_info-&gt;unused_bgs_lock. [177.504][T2585409] Error BTRFS (dispositivo nullb1): error al reubicar ch= unk 2415919104 [177.514][T2585409] corrupci\u00f3n list_del. siguiente-&gt;anterior deber\u00eda ser ff1100= 0344b119c0, pero era ff11000377e87c70. (next=3Dff110002390cd9c0) [177.529][T2585409] ------------[ cortar aqu\u00ed ]------------ [177.537][T2585409] ERROR del kernel en lib/ list_debug.c:65! [177.545][T2585409] Ups: c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP KASAN NOPTI [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Contaminado: GW 6.10.0-rc5-kts # 1 [177.568][T2585409] Nombre de hardware: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 14/02/2022 [177.579][T2585409] Cola de trabajo: events_unbound btrfs_reclaim_bgs_work[btrfs] [177.589][T2585409] QEPD: 0010 :__list_del_entry_valid_or_report.cold+0x70/0x72 [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286 [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000 [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI :ffe21c006efd0f40 [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08 [177.665][T2585409] R10: 7847 R11: 0000000000000000 R12:ff110002390cd9c0 [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000 [177. 687] [T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000 [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 00000080050033 [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4: 0000000000771ef0 [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000 [177.731][T2585409] DR3: 00000000 DR6: 00000000fffe0ff0 DR7:0000000000000400 [177.742][T2585409] PKRU: 55555554 [177.748][T2585409] Seguimiento de llamadas: [ 177.753][T2585409] [177.759][T2585409] ? __die_body.cold+0x19/0x27 [177.766][T2585409] ? morir+0x2e/0x50 [177.772][T2585409] ? do_trap+0x1ea/0x2d0 [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.788][T2585409] ? do_error_trap+0xa3/0x160 [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.805][T2585409] ? handle_invalid_op+0x2c/0x40 [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.820][T2585409] ? exc_invalid_op+0x2d/0x40 [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20 [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs] Hay un c\u00f3digo retry_list similar en btrfs_delete_unused_bgs(), pero es seguro, AFAICS. Dado que el grupo de bloques estaba en la lista no utilizada, los bytes usados deber\u00edan ser 0 cuando se agreg\u00f3 a la lista no utilizada. Luego, verifica que block_group-&gt;{used,reserved,pinned} todav\u00eda sean 0 bajo block_group-&gt;lock. Por lo tanto, a\u00fan deber\u00edan ser elegibles para la lista no utilizada, no para la lista de recuperaci\u00f3n. La raz\u00f3n por la que es seguro all\u00ed es porque mantenemos space_info-&gt;groups_sem en modo de escritura. Eso significa que ninguna otra tarea puede asignar desde el grupo de bloques, por lo que mientras estamos en deleted_unused_bgs() no es posible que otras tareas asignen y desasignen extensiones del grupo de bloques, por lo que no se pueden agregar a la lista no utilizada ni a la reclamaci\u00f3n. lista por cualquier otra persona. El error puede repro ---truncado---"}], "lastModified": "2024-07-30T13:32:45.943", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}