CVE-2024-35956

btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations

Create subvolume, create snapshot and delete subvolume all use
btrfs_subvolume_reserve_metadata() to reserve metadata for the changes
done to the parent subvolume's fs tree, which cannot be mediated in the
normal way via start_transaction. When quota groups (squota or qgroups)
are enabled, this reserves qgroup metadata of type PREALLOC. Once the
operation is associated to a transaction, we convert PREALLOC to
PERTRANS, which gets cleared in bulk at the end of the transaction.

However, the error paths of these three operations were not implementing
this lifecycle correctly. They unconditionally converted the PREALLOC to
PERTRANS in a generic cleanup step regardless of errors or whether the
operation was fully associated to a transaction or not. This resulted in
error paths occasionally converting this rsv to PERTRANS without calling
record_root_in_trans successfully, which meant that unless that root got
recorded in the transaction by some other thread, the end of the
transaction would not free that root's PERTRANS, leaking it. Ultimately,
this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount
for the leaked reservation.

The fix is to ensure that every qgroup PREALLOC reservation observes the
following properties:

1. any failure before record_root_in_trans is called successfully
results in freeing the PREALLOC reservation.
2. after record_root_in_trans, we convert to PERTRANS, and now the
transaction owns freeing the reservation.

This patch enforces those properties on the three operations. Without
it, generic/269 with squotas enabled at mkfs time would fail in ~5-10
runs on my system. With this patch, it ran successfully 1000 times in a
row.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: qgroup: corrige la fuga de rsv prealloc de qgroup en operaciones de subvolumen Crear subvolumen, crear instantánea y eliminar subvolumen, todos usan btrfs_subvolume_reserve_metadata() para reservar metadatos para los cambios realizados en el árbol fs del subvolumen principal , que no se puede mediar de la forma normal a través de start_transaction. Cuando los grupos de cuotas (squota o qgroups) están habilitados, esto reserva metadatos de qgroup de tipo PREALLOC. Una vez asociada la operación a una transacción, convertimos PREALLOC a PERTRANS, que se compensa de forma masiva al final de la transacción. Sin embargo, las rutas de error de estas tres operaciones no implementaban este ciclo de vida correctamente. Convirtieron incondicionalmente PREALLOC a PERTRANS en un paso de limpieza genérico, independientemente de los errores o de si la operación estaba completamente asociada a una transacción o no. Esto resultó en rutas de error que ocasionalmente convertían este rsv a PERTRANS sin llamar exitosamente a record_root_in_trans, lo que significaba que, a menos que algún otro hilo registrara esa raíz en la transacción, el final de la transacción no liberaría el PERTRANS de esa raíz, filtrándolo. En última instancia, esto resultó en un aviso de ADVERTENCIA en las compilaciones CONFIG_BTRFS_DEBUG al desmontar la reserva filtrada. La solución es garantizar que cada reserva PREALLOC de qgroup observe las siguientes propiedades: 1. cualquier falla antes de que se llame exitosamente a record_root_in_trans resulta en la liberación de la reserva PREALLOC. 2. después de record_root_in_trans, convertimos a PERTRANS, y ahora la transacción es dueña de la reserva. Este parche aplica esas propiedades en las tres operaciones. Sin él, generic/269 con cuotas habilitadas en el momento mkfs fallaría en ~5-10 ejecuciones en mi sistema. Con este parche, se ejecutó exitosamente 1000 veces seguidas.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-20 CVE Published
2024-05-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/e85fde5162bf1b242cbd6daf7dba0f9b457d592b	Vuln. Introduced
https://git.kernel.org/stable/c/2978cb474745b2d93c263008d265e89985706094	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9	2024-04-17
https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c	2024-04-17
https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd	2024-04-02

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 6.6.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.6.28"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 6.8.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.8.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.9.5 Search vendor "Linux" for product "Linux Kernel" and version "5.9.5"		en		Affected