CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26792 – btrfs: fix double free of anonymous device after snapshot creation failure
https://notcve.org/view.php?id=CVE-2024-26792
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there's an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot->anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot->anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the 'fail' label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot->anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: <TASK> btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 </TASK> Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated--- En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: btrfs: corrige la doble liberación de un dispositivo anónimo después de un error en la creación de la instantánea. Al crear una instantánea podemos hacer una doble liberación de un dispositivo anónimo en caso de que haya un error al realizar la transacción. La segunda liberación puede resultar en la liberación de un número de dispositivo anónimo asignado por algún otro subSYSTEM en el kernel u otro SYSTEM de archivos btrfs. • https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430 https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468 https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f https://git.kernel.org/stable/c/c34adc20b91a8e55e048b18d63f4f4ae003ecf8f https://git.kernel.org/stable/c/eb3441093aad251418921246fc3b224fd1575701 https://git.kernel.org/stable/c/c8ab7521665bd0f8bc4a900244d1d5a70 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26791 – btrfs: dev-replace: properly validate device names
https://notcve.org/view.php?id=CVE-2024-26791
In the Linux kernel, the following vulnerability has been resolved: btrfs: dev-replace: properly validate device names There's a syzbot report that device name buffers passed to device replace are not properly checked for string termination which could lead to a read out of bounds in getname_kernel(). Add a helper that validates both source and target device name buffers. For devid as the source initialize the buffer to empty string in case something tries to read it later. This was originally analyzed and fixed in a different way by Edward Adam Davis (see links). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: btrfs: dev-replace: validar correctamente los nombres de los dispositivos. Hay un informe de syzbot que indica que los búferes de nombres de dispositivos pasados para reemplazar el dispositivo no se verifican adecuadamente para determinar la terminación de la cadena, lo que podría provocar una lectura fuera de los límites. en getname_kernel(). Agregue un asistente que valide los búferes de nombres de dispositivos de origen y de destino. Para devid como fuente, inicialice el búfer en una cadena vacía en caso de que algo intente leerlo más tarde. • https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84 https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311 https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9 https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8 https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1 https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26790 – dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read
https://notcve.org/view.php?id=CVE-2024-26790
In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: dmaengine: fsl-qdma: corrección El SoC puede bloquearse en lecturas no alineadas de 16 bytes. Hay erratas en el chip (ls1028a): El SoC puede bloquearse en transacciones de lectura no alineadas de 16 bytes mediante QDMA. Las transacciones de lectura no alineadas iniciadas por QDMA pueden detenerse en el NOC (Network On-Chip), provocando una condición de interbloqueo. • https://git.kernel.org/stable/c/b092529e0aa09829a6404424ce167bf3ce3235e2 https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580 https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367 https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471 https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71d •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26789 – crypto: arm64/neonbs - fix out-of-bounds access on short input
https://notcve.org/view.php?id=CVE-2024-26789
In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/neonbs - fix out-of-bounds access on short input The bit-sliced implementation of AES-CTR operates on blocks of 128 bytes, and will fall back to the plain NEON version for tail blocks or inputs that are shorter than 128 bytes to begin with. It will call straight into the plain NEON asm helper, which performs all memory accesses in granules of 16 bytes (the size of a NEON register). For this reason, the associated plain NEON glue code will copy inputs shorter than 16 bytes into a temporary buffer, given that this is a rare occurrence and it is not worth the effort to work around this in the asm code. The fallback from the bit-sliced NEON version fails to take this into account, potentially resulting in out-of-bounds accesses. So clone the same workaround, and use a temp buffer for short in/outputs. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: arm64/neonbs: corrige el acceso fuera de los límites en entradas cortas. La implementación de bits de AES-CTR opera en bloques de 128 bytes y recurrirá al Versión NEON simple para bloques finales o entradas que, para empezar, tienen menos de 128 bytes. Llamará directamente al asistente simple NEON asm, que realiza todos los accesos a la memoria en gránulos de 16 bytes (el tamaño de un registro NEON). • https://git.kernel.org/stable/c/fc074e130051015e39245a4241956ff122e2f465 https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705 https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4 https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26788 – dmaengine: fsl-qdma: init irq after reg initialization
https://notcve.org/view.php?id=CVE-2024-26788
In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: init irq after reg initialization Initialize the qDMA irqs after the registers are configured so that interrupts that may have been pending from a primary kernel don't get processed by the irq handler before it is ready to and cause panic with the following trace: Call trace: fsl_qdma_queue_handler+0xf8/0x3e8 __handle_irq_event_percpu+0x78/0x2b0 handle_irq_event_percpu+0x1c/0x68 handle_irq_event+0x44/0x78 handle_fasteoi_irq+0xc8/0x178 generic_handle_irq+0x24/0x38 __handle_domain_irq+0x90/0x100 gic_handle_irq+0x5c/0xb8 el1_irq+0xb8/0x180 _raw_spin_unlock_irqrestore+0x14/0x40 __setup_irq+0x4bc/0x798 request_threaded_irq+0xd8/0x190 devm_request_threaded_irq+0x74/0xe8 fsl_qdma_probe+0x4d4/0xca8 platform_drv_probe+0x50/0xa0 really_probe+0xe0/0x3f8 driver_probe_device+0x64/0x130 device_driver_attach+0x6c/0x78 __driver_attach+0xbc/0x158 bus_for_each_dev+0x5c/0x98 driver_attach+0x20/0x28 bus_add_driver+0x158/0x220 driver_register+0x60/0x110 __platform_driver_register+0x44/0x50 fsl_qdma_driver_init+0x18/0x20 do_one_initcall+0x48/0x258 kernel_init_freeable+0x1a4/0x23c kernel_init+0x10/0xf8 ret_from_fork+0x10/0x18 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dmaengine: fsl-qdma: init irq after reg inicialización Inicialice qDMA irqs después de configurar los registros para que las interrupciones que puedan haber estado pendientes de un kernel primario no sean procesadas por el controlador irq antes de que esté listo y cause pánico con el siguiente rastreo: Rastreo de llamadas: fsl_qdma_queue_handler+0xf8/0x3e8 __handle_irq_event_percpu+0x78/0x2b0 handle_irq_event_percpu+0x1c/0x68 handle_irq_event+0x44/0x78 handle_fasteoi_irq+0xc8/0x 178 generic_handle_irq+0x24/0x38 __handle_domain_irq +0x90/0x100 gic_handle_irq+0x5c/0xb8 el1_irq+0xb8/0x180 _raw_spin_unlock_irqrestore+0x14/0x40 __setup_irq+0x4bc/0x798 request_threaded_irq+0xd8/0x190 devm_request_threaded_irq+0x74/ 0xe8 fsl_qdma_probe+0x4d4/0xca8 plataforma_drv_probe+0x50/0xa0 very_probe+0xe0/0x3f8 driver_probe_device +0x64/0x130 dispositivo_driver_attach+0x6c/0x78 __driver_attach+0xbc/0x158 bus_for_each_dev+0x5c/0x98 driver_attach+0x20/0x28 bus_add_driver+0x158/0x220 driver_register+0x60/0x110 __platform_driver_register+0x 44/0x50 fsl_qdma_driver_init+0x18/0x20 do_one_initcall+0x48/0x258 kernel_init_freeable +0x1a4/0x23c kernel_init+0x10/0xf8 ret_from_fork+0x10/0x18 • https://git.kernel.org/stable/c/b092529e0aa09829a6404424ce167bf3ce3235e2 https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478 https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1 https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99 https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8 https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef •