CVE-2024-35956
btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
Create subvolume, create snapshot and delete subvolume all use
btrfs_subvolume_reserve_metadata() to reserve metadata for the changes
done to the parent subvolume's fs tree, which cannot be mediated in the
normal way via start_transaction. When quota groups (squota or qgroups)
are enabled, this reserves qgroup metadata of type PREALLOC. Once the
operation is associated to a transaction, we convert PREALLOC to
PERTRANS, which gets cleared in bulk at the end of the transaction.
However, the error paths of these three operations were not implementing
this lifecycle correctly. They unconditionally converted the PREALLOC to
PERTRANS in a generic cleanup step regardless of errors or whether the
operation was fully associated to a transaction or not. This resulted in
error paths occasionally converting this rsv to PERTRANS without calling
record_root_in_trans successfully, which meant that unless that root got
recorded in the transaction by some other thread, the end of the
transaction would not free that root's PERTRANS, leaking it. Ultimately,
this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount
for the leaked reservation.
The fix is to ensure that every qgroup PREALLOC reservation observes the
following properties:
1. any failure before record_root_in_trans is called successfully
results in freeing the PREALLOC reservation.
2. after record_root_in_trans, we convert to PERTRANS, and now the
transaction owns freeing the reservation.
This patch enforces those properties on the three operations. Without
it, generic/269 with squotas enabled at mkfs time would fail in ~5-10
runs on my system. With this patch, it ran successfully 1000 times in a
row.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: qgroup: corrige la fuga de rsv prealloc de qgroup en operaciones de subvolumen Crear subvolumen, crear instantánea y eliminar subvolumen, todos usan btrfs_subvolume_reserve_metadata() para reservar metadatos para los cambios realizados en el árbol fs del subvolumen principal , que no se puede mediar de la forma normal a través de start_transaction. Cuando los grupos de cuotas (squota o qgroups) están habilitados, esto reserva metadatos de qgroup de tipo PREALLOC. Una vez asociada la operación a una transacción, convertimos PREALLOC a PERTRANS, que se compensa de forma masiva al final de la transacción. Sin embargo, las rutas de error de estas tres operaciones no implementaban este ciclo de vida correctamente. Convirtieron incondicionalmente PREALLOC a PERTRANS en un paso de limpieza genérico, independientemente de los errores o de si la operación estaba completamente asociada a una transacción o no. Esto resultó en rutas de error que ocasionalmente convertían este rsv a PERTRANS sin llamar exitosamente a record_root_in_trans, lo que significaba que, a menos que algún otro hilo registrara esa raíz en la transacción, el final de la transacción no liberaría el PERTRANS de esa raíz, filtrándolo. En última instancia, esto resultó en un aviso de ADVERTENCIA en las compilaciones CONFIG_BTRFS_DEBUG al desmontar la reserva filtrada. La solución es garantizar que cada reserva PREALLOC de qgroup observe las siguientes propiedades: 1. cualquier falla antes de que se llame exitosamente a record_root_in_trans resulta en la liberación de la reserva PREALLOC. 2. después de record_root_in_trans, convertimos a PERTRANS, y ahora la transacción es dueña de la reserva. Este parche aplica esas propiedades en las tres operaciones. Sin él, generic/269 con cuotas habilitadas en el momento mkfs fallaría en ~5-10 ejecuciones en mi sistema. Con este parche, se ejecutó exitosamente 1000 veces seguidas.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-17 CVE Reserved
- 2024-05-20 CVE Published
- 2024-05-21 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/e85fde5162bf1b242cbd6daf7dba0f9b457d592b | Vuln. Introduced | |
https://git.kernel.org/stable/c/2978cb474745b2d93c263008d265e89985706094 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 6.1.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.1.120" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 6.6.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.6.28" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 6.8.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.8.7" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.9.5 Search vendor "Linux" for product "Linux Kernel" and version "5.9.5" | en |
Affected
|