CVE-2024-44972 Information

Sep 05, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

btrfs: do not clear page dirty inside extent_write_locked_range()

[BUG] For subpage + zoned case the following workload can lead to rsv data leak at unmount time:

mkfs.btrfs -f -s 4k $dev mount $dev $mnt fsstress -w -n 8 -d $mnt -s 1709539240 0/0: fiemap - no filename 0/1: copyrange read - no filename 0/2: write - no filename 0/3: rename - no source filename 0/4: creat f0 x:0 0 0 0/4: creat add id=0parent=-1 0/5: writev f0[259 1 0 0 0 0] [778052113965] 0 0/6: ioctl(FIEMAP) f0[259 1 0 0 224 887097] [129422022916183439914847910x10000] -1 0/7: dwrite - xfsctl(XFS_IOC_DIOINFO) f0[259 1 0 0 224 887097] return 25 fallback to stat() 0/7: dwrite f0[259 1 0 0 224 887097] [696320102400] 0 umount $mnt

The dmesg includes the following rsv leak detection warning (all call trace skipped):

————[ cut here ]———— WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8653 btrfs_destroy_inode+0x1e0/0x200 [btrfs] —[ end trace 0000000000000000 ]— ————[ cut here ]———— WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8654 btrfs_destroy_inode+0x1a8/0x200 [btrfs] —[ end trace 0000000000000000 ]— ————[ cut here ]———— WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8660 btrfs_destroy_inode+0x1a0/0x200 [btrfs] —[ end trace 0000000000000000 ]— BTRFS info (device sda): last unmount of filesystem 1b4abba9-de34-4f07-9e7f-157cf12a18d6 ————[ cut here ]———— WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] —[ end trace 0000000000000000 ]— BTRFS info (device sda): space_info DATA has 268218368 free is not full BTRFS info (device sda): space_info total=268435456 used=204800 pinned=0 reserved=0 may_use=12288 readonly=0 zone_unusable=0 BTRFS info (device sda): global_block_rsv: size 0 reserved 0 BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0 ————[ cut here ]———— WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs] —[ end trace 0000000000000000 ]— BTRFS info (device sda): space_info METADATA has 267796480 free is not full BTRFS info (device sda): space_info total=268435456 used=131072 pinned=0 reserved=0 may_use=262144 readonly=0 zone_unusable=245760 BTRFS info (device sda): global_block_rsv: size 0 reserved 0 BTRFS info (device sda): trans_block_rsv: size 0 reserved 0 BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0 BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0

Above $dev is a tcmu-runner emulated zoned HDD which has a max zone append size of 64K and the system has 64K page size.

[CAUSE] I have added several trace_printk() to show the events (header skipped):

btrfs_dirty_pages: r/i=5/259 dirty start=774144 len=114688 btrfs_dirty_pages: r/i=5/259 dirty part of page=720896 off_in_page=53248 len_in_page=12288 btrfs_dirty_pages: r/i=5/259 dirty part of page=786432 off_in_page=0 len_in_page=65536 btrfs_dirty_pages: r/i=5/259 dirty part of page=851968 off_in_page=0 len_in_page=36864

The above lines show our buffered write has dirtied 3 pages of inode 259 of root 5:

704K 768K 832K 896K I |////I/////////////////I///////////| I 756K 868K

|///| is the dirtied range using subpage bitmaps. and ‘I’ is the page boundary.

Meanwhile all three pages (704K 768K 832K) have their PageDirty flag set.

btrfs_direct_write: r/i=5/259 start dio filepos=696320 len=102400

Then direct IO writ

truncated—

Reference

https://git.kernel.org/stable/c/ba4dedb71356638d8284e34724daca944be70368 https://git.kernel.org/stable/c/d3b403209f767e5857c1b9fda66726e6e6ffc99f https://git.kernel.org/stable/c/97713b1a2ced1e4a2a6c40045903797ebd44d7e0

Share on: