Bug 2300443 (CVE-2024-41067)

Summary: CVE-2024-41067 kernel: btrfs: scrub: handle RST lookup error correctly
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.9.11, kernel 6.10 Doc Type: If docs needed, set a value
Doc Text:
The Linux kernel vulnerability in the btrfs scrub process, triggered by a forced RST feature, involved an assertion failure due to improper handling of bio structures when `btrfs_map_block()` failed. The issue was caused by calling `btrfs_map_block()` after allocating a new bio, leading to empty bio handling problems.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2301627    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-29 15:44:22 UTC 
In the Linux kernel, the following vulnerability has been resolved:

btrfs: scrub: handle RST lookup error correctly

[BUG]
When running btrfs/060 with forced RST feature, it would crash the
following ASSERT() inside scrub_read_endio():

	ASSERT(sector_nr < stripe->nr_sectors);

Before that, we would have tree dump from
btrfs_get_raid_extent_offset(), as we failed to find the RST entry for
the range.

[CAUSE]
Inside scrub_submit_extent_sector_read() every time we allocated a new
bbio we immediately called btrfs_map_block() to make sure there was some
RST range covering the scrub target.

But if btrfs_map_block() fails, we immediately call endio for the bbio,
while the bbio is newly allocated, it's completely empty.

Then inside scrub_read_endio(), we go through the bvecs to find
the sector number (as bi_sector is no longer reliable if the bio is
submitted to lower layers).

And since the bio is empty, such bvecs iteration would not find any
sector matching the sector, and return sector_nr == stripe->nr_sectors,
triggering the ASSERT().

[FIX]
Instead of calling btrfs_map_block() after allocating a new bbio, call
btrfs_map_block() first.

Since our only objective of calling btrfs_map_block() is only to update
stripe_len, there is really no need to do that after btrfs_alloc_bio().

This new timing would avoid the problem of handling empty bbio
completely, and in fact fixes a possible race window for the old code,
where if the submission thread is the only owner of the pending_io, the
scrub would never finish (since we didn't decrease the pending_io
counter).

Although the root cause of RST lookup failure still needs to be
addressed.
Comment 1 Mauro Matteo Cascella 2024-07-30 13:04:56 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024072907-CVE-2024-41067-bc18@gregkh/T
Comment 2 Mauro Matteo Cascella 2024-07-30 13:05:15 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2301627]