CVE

CVE-2024-46687

Severity:
HIGH
Type:
CWE-415 Double Free
Publication date:
13/09/2024
Last modified:
14/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()<br /> <br /> [BUG]<br /> There is an internal report that KASAN is reporting use-after-free, with<br /> the following backtrace:<br /> <br /> BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]<br /> Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45<br /> CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014<br /> Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br /> Call Trace:<br /> dump_stack_lvl+0x61/0x80<br /> print_address_description.constprop.0+0x5e/0x2f0<br /> print_report+0x118/0x216<br /> kasan_report+0x11d/0x1f0<br /> btrfs_check_read_bio+0xa68/0xb70 [btrfs]<br /> process_one_work+0xce0/0x12a0<br /> worker_thread+0x717/0x1250<br /> kthread+0x2e3/0x3c0<br /> ret_from_fork+0x2d/0x70<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> Allocated by task 20917:<br /> kasan_save_stack+0x37/0x60<br /> kasan_save_track+0x10/0x30<br /> __kasan_slab_alloc+0x7d/0x80<br /> kmem_cache_alloc_noprof+0x16e/0x3e0<br /> mempool_alloc_noprof+0x12e/0x310<br /> bio_alloc_bioset+0x3f0/0x7a0<br /> btrfs_bio_alloc+0x2e/0x50 [btrfs]<br /> submit_extent_page+0x4d1/0xdb0 [btrfs]<br /> btrfs_do_readpage+0x8b4/0x12a0 [btrfs]<br /> btrfs_readahead+0x29a/0x430 [btrfs]<br /> read_pages+0x1a7/0xc60<br /> page_cache_ra_unbounded+0x2ad/0x560<br /> filemap_get_pages+0x629/0xa20<br /> filemap_read+0x335/0xbf0<br /> vfs_read+0x790/0xcb0<br /> ksys_read+0xfd/0x1d0<br /> do_syscall_64+0x6d/0x140<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> Freed by task 20917:<br /> kasan_save_stack+0x37/0x60<br /> kasan_save_track+0x10/0x30<br /> kasan_save_free_info+0x37/0x50<br /> __kasan_slab_free+0x4b/0x60<br /> kmem_cache_free+0x214/0x5d0<br /> bio_free+0xed/0x180<br /> end_bbio_data_read+0x1cc/0x580 [btrfs]<br /> btrfs_submit_chunk+0x98d/0x1880 [btrfs]<br /> btrfs_submit_bio+0x33/0x70 [btrfs]<br /> submit_one_bio+0xd4/0x130 [btrfs]<br /> submit_extent_page+0x3ea/0xdb0 [btrfs]<br /> btrfs_do_readpage+0x8b4/0x12a0 [btrfs]<br /> btrfs_readahead+0x29a/0x430 [btrfs]<br /> read_pages+0x1a7/0xc60<br /> page_cache_ra_unbounded+0x2ad/0x560<br /> filemap_get_pages+0x629/0xa20<br /> filemap_read+0x335/0xbf0<br /> vfs_read+0x790/0xcb0<br /> ksys_read+0xfd/0x1d0<br /> do_syscall_64+0x6d/0x140<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> <br /> [CAUSE]<br /> Although I cannot reproduce the error, the report itself is good enough<br /> to pin down the cause.<br /> <br /> The call trace is the regular endio workqueue context, but the<br /> free-by-task trace is showing that during btrfs_submit_chunk() we<br /> already hit a critical error, and is calling btrfs_bio_end_io() to error<br /> out. And the original endio function called bio_put() to free the whole<br /> bio.<br /> <br /> This means a double freeing thus causing use-after-free, e.g.:<br /> <br /> 1. Enter btrfs_submit_bio() with a read bio<br /> The read bio length is 128K, crossing two 64K stripes.<br /> <br /> 2. The first run of btrfs_submit_chunk()<br /> <br /> 2.1 Call btrfs_map_block(), which returns 64K<br /> 2.2 Call btrfs_split_bio()<br /> Now there are two bios, one referring to the first 64K, the other<br /> referring to the second 64K.<br /> 2.3 The first half is submitted.<br /> <br /> 3. The second run of btrfs_submit_chunk()<br /> <br /> 3.1 Call btrfs_map_block(), which by somehow failed<br /> Now we call btrfs_bio_end_io() to handle the error<br /> <br /> 3.2 btrfs_bio_end_io() calls the original endio function<br /> Which is end_bbio_data_read(), and it calls bio_put() for the<br /> original bio.<br /> <br /> Now the original bio is freed.<br /> <br /> 4. The submitted first 64K bio finished<br /> Now we call into btrfs_check_read_bio() and tries to advance the bio<br /> iter.<br /> But since the original bio (thus its iter) is already freed, we<br /> trigger the above use-after free.<br /> <br /> And even if the memory is not poisoned/corrupted, we will later call<br /> the original endio function, causing a double freeing.<br /> <br /> [FIX]<br /> Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),<br /> which has the extra check on split bios and do the pr<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.3 (including) 6.6.49 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools