CVE-2022-50067

Summary

In the Linux kernel, the following vulnerability has been resolved:

btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()

In btrfs_relocate_block_group(), the rc is allocated. Then btrfs_relocate_block_group() calls

relocate_block_group() prepare_to_relocate() set_reloc_control()

that assigns rc to the variable fs_info->reloc_ctl. When prepare_to_relocate() returns, it calls

btrfs_commit_transaction() btrfs_start_dirty_block_groups() btrfs_alloc_path() kmem_cache_zalloc()

which may fail for example (or other errors could happen). When the failure occurs, btrfs_relocate_block_group() detects the error and frees rc and doesn't set fs_info->reloc_ctl to NULL. After that, in btrfs_init_reloc_root(), rc is retrieved from fs_info->reloc_ctl and then used, which may cause a use-after-free bug.

This possible bug can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().

To fix this possible bug, in prepare_to_relocate(), check if btrfs_commit_transaction() fails. If the failure occurs, unset_reloc_control() is called to set fs_info->reloc_ctl to NULL.

The error log in our fault-injection testing is shown as follows:

[ 58.751070] BUG: KASAN: use-after-free in btrfs_init_reloc_root+0x7ca/0x920 [btrfs] … [ 58.753577] Call Trace: … [ 58.755800] kasan_report+0x45/0x60 [ 58.756066] btrfs_init_reloc_root+0x7ca/0x920 [btrfs] [ 58.757304] record_root_in_trans+0x792/0xa10 [btrfs] [ 58.757748] btrfs_record_root_in_trans+0x463/0x4f0 [btrfs] [ 58.758231] start_transaction+0x896/0x2950 [btrfs] [ 58.758661] btrfs_defrag_root+0x250/0xc00 [btrfs] [ 58.759083] btrfs_ioctl_defrag+0x467/0xa00 [btrfs] [ 58.759513] btrfs_ioctl+0x3c95/0x114e0 [btrfs] … [ 58.768510] Allocated by task 23683: [ 58.768777] ____kasan_kmalloc+0xb5/0xf0 [ 58.769069] __kmalloc+0x227/0x3d0 [ 58.769325] alloc_reloc_control+0x10a/0x3d0 [btrfs] [ 58.769755] btrfs_relocate_block_group+0x7aa/0x1e20 [btrfs] [ 58.770228] btrfs_relocate_chunk+0xf1/0x760 [btrfs] [ 58.770655] __btrfs_balance+0x1326/0x1f10 [btrfs] [ 58.771071] btrfs_balance+0x3150/0x3d30 [btrfs] [ 58.771472] btrfs_ioctl_balance+0xd84/0x1410 [btrfs] [ 58.771902] btrfs_ioctl+0x4caa/0x114e0 [btrfs] … [ 58.773337] Freed by task 23683: … [ 58.774815] kfree+0xda/0x2b0 [ 58.775038] free_reloc_control+0x1d6/0x220 [btrfs] [ 58.775465] btrfs_relocate_block_group+0x115c/0x1e20 [btrfs] [ 58.775944] btrfs_relocate_chunk+0xf1/0x760 [btrfs] [ 58.776369] __btrfs_balance+0x1326/0x1f10 [btrfs] [ 58.776784] btrfs_balance+0x3150/0x3d30 [btrfs] [ 58.777185] btrfs_ioctl_balance+0xd84/0x1410 [btrfs] [ 58.777621] btrfs_ioctl+0x4caa/0x114e0 [btrfs] …

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1a5353475df8fcaf200fecc9e961a3900d15e891 < ff0e8ed8dfb584575cffc1561f17a1d094e8565baffected
LinuxLinux499d29bf151951399367ba83645abfdb429a3af9 < dcb11fe0a0a9cca2b7425191b9bf30dc29f2ad0faffected
LinuxLinux4223d91ca1b5bf3928e5722c3c6b3fdb49250ab3 < 8e546674031fc1576da501e27a8fd165222e5a37affected
LinuxLinux6f371623f315c26100e603c2e8837cdbe130f9e0 < b60e862e133f646f19023ece1d476d630a660de1affected
LinuxLinuxfb686c6824dd6294ca772b92424b8fba666e7d00 < 78f8c2370e3d33e35f23bdc648653d779aeacb6eaffected
LinuxLinuxfb686c6824dd6294ca772b92424b8fba666e7d00 < 5d741afed0bac206640cc64d77b97853283cf719affected
LinuxLinuxfb686c6824dd6294ca772b92424b8fba666e7d00 < 85f02d6c856b9f3a0acf5219de6e32f58b9778ebaffected
LinuxLinux5.13affected
LinuxLinux0 < 5.13unaffected
LinuxLinux5.15.63 <= 5.15.*unaffected
LinuxLinux5.19.4 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References