CVE-2021-46958
Vulnerability from cvelistv5
Published
2024-02-27 18:46
Modified
2024-11-04 11:56
Severity ?
Summary
btrfs: fix race between transaction aborts and fsyncs leading to use-after-free
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:17:42.988Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-46958",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T19:27:46.078537Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T19:28:05.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a4794be7b00b",
              "status": "affected",
              "version": "ef67963dac25",
              "versionType": "git"
            },
            {
              "lessThan": "633f7f216663",
              "status": "affected",
              "version": "ef67963dac25",
              "versionType": "git"
            },
            {
              "lessThan": "e2da98788369",
              "status": "affected",
              "version": "ef67963dac25",
              "versionType": "git"
            },
            {
              "lessThan": "061dde824535",
              "status": "affected",
              "version": "ef67963dac25",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.11.*",
              "status": "unaffected",
              "version": "5.11.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\n\nThere is a race between a task aborting a transaction during a commit,\na task doing an fsync and the transaction kthread, which leads to an\nuse-after-free of the log root tree. When this happens, it results in a\nstack trace like the following:\n\n  BTRFS info (device dm-0): forced readonly\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n  BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\n  BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\n  BTRFS error (device dm-0): error writing primary super block to device 1\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\n  BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\n  BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\n  general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n  CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:__mutex_lock+0x139/0xa40\n  Code: c0 74 19 (...)\n  RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\n  RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\n  RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\n  R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\n  R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\n  FS:  00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n   btrfs_sync_log+0x7c1/0xf20 [btrfs]\n   btrfs_sync_file+0x40c/0x580 [btrfs]\n   do_fsync+0x38/0x70\n   __x64_sys_fsync+0x10/0x20\n   do_syscall_64+0x33/0x80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n  RIP: 0033:0x7fa9142a55c3\n  Code: 8b 15 09 (...)\n  RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\n  RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\n  RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\n  RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\n  R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\n  Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\n  ---[ end trace ee2f1b19327d791d ]---\n\nThe steps that lead to this crash are the following:\n\n1) We are at transaction N;\n\n2) We have two tasks with a transaction handle attached to transaction N.\n   Task A and Task B. Task B is doing an fsync;\n\n3) Task B is at btrfs_sync_log(), and has saved fs_info-\u003elog_root_tree\n   into a local variable named \u0027log_root_tree\u0027 at the top of\n   btrfs_sync_log(). Task B is about to call write_all_supers(), but\n   before that...\n\n4) Task A calls btrfs_commit_transaction(), and after it sets the\n   transaction state to TRANS_STATE_COMMIT_START, an error happens before\n   it w\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T11:56:39.268Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338"
        },
        {
          "url": "https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c"
        }
      ],
      "title": "btrfs: fix race between transaction aborts and fsyncs leading to use-after-free",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-46958",
    "datePublished": "2024-02-27T18:46:59.315Z",
    "dateReserved": "2024-02-27T18:42:55.939Z",
    "dateUpdated": "2024-11-04T11:56:39.268Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-46958\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T19:04:06.813\",\"lastModified\":\"2024-02-28T14:06:45.783\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\\n\\nThere is a race between a task aborting a transaction during a commit,\\na task doing an fsync and the transaction kthread, which leads to an\\nuse-after-free of the log root tree. When this happens, it results in a\\nstack trace like the following:\\n\\n  BTRFS info (device dm-0): forced readonly\\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\\n  BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\\n  BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\\n  BTRFS error (device dm-0): error writing primary super block to device 1\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\\n  BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\\n  BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\\n  general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\\n  CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n  RIP: 0010:__mutex_lock+0x139/0xa40\\n  Code: c0 74 19 (...)\\n  RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\\n  RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\\n  RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\\n  RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\\n  R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\\n  R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\\n  FS:  00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n  Call Trace:\\n   ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n   btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n   btrfs_sync_file+0x40c/0x580 [btrfs]\\n   do_fsync+0x38/0x70\\n   __x64_sys_fsync+0x10/0x20\\n   do_syscall_64+0x33/0x80\\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\\n  RIP: 0033:0x7fa9142a55c3\\n  Code: 8b 15 09 (...)\\n  RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\\n  RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\\n  RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\\n  RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\\n  R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\\n  Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\\n  ---[ end trace ee2f1b19327d791d ]---\\n\\nThe steps that lead to this crash are the following:\\n\\n1) We are at transaction N;\\n\\n2) We have two tasks with a transaction handle attached to transaction N.\\n   Task A and Task B. Task B is doing an fsync;\\n\\n3) Task B is at btrfs_sync_log(), and has saved fs_info-\u003elog_root_tree\\n   into a local variable named \u0027log_root_tree\u0027 at the top of\\n   btrfs_sync_log(). Task B is about to call write_all_supers(), but\\n   before that...\\n\\n4) Task A calls btrfs_commit_transaction(), and after it sets the\\n   transaction state to TRANS_STATE_COMMIT_START, an error happens before\\n   it w\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige la ejecuci\u00f3n entre transacciones abortadas y fsyncs que conducen a use-after-free. Hay una carrera entre una tarea que aborta una transacci\u00f3n durante un commit, una tarea que realiza una fsync y la transacci\u00f3n. kthread, lo que conduce a un use-after-free del \u00e1rbol ra\u00edz del registro. Cuando esto sucede, se genera un seguimiento de pila como el siguiente: Informaci\u00f3n BTRFS (dispositivo dm-0): solo lectura forzada Advertencia BTRFS (dispositivo dm-0): omitir confirmaci\u00f3n de transacci\u00f3n abortada. BTRFS: error (dispositivo dm-0) en cleanup_transaction:1958: errno=-5 falla de IO Advertencia de BTRFS (dispositivo dm-0): escritura de p\u00e1gina perdida debido a un error de IO en /dev/mapper/error-test (-5) BTRFS Advertencia (dispositivo dm-0): omitir confirmaci\u00f3n de transacci\u00f3n abortada. Advertencia BTRFS (dispositivo dm-0): IO directa fall\u00f3 en 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 Error BTRFS (dispositivo dm-0): error al escribir el superbloque primario en el dispositivo 1 Advertencia BTRFS (dispositivo dm-0) : error de IO directo ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 advertencia BTRFS (dispositivo dm-0): error de IO directo ino 261 rw 0,0 sector 0x12e008 len 4096 error no 10 advertencia BTRFS (dispositivo dm-0) : error de IO directo ino 261 rw 0,0 sector 0x12e010 len 4096 error no 10 BTRFS: error (dispositivo dm-0) en write_all_supers:4110: errno=-5 error de IO (1 error al escribir supers) BTRFS: error (dispositivo dm -0) en btrfs_sync_log:3308: errno=-5 Fallo de E/S Fallo de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0- rc5-btrfs-next-84 #1 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 01/04/2014 RIP: 0010:__mutex_lock+ 0x139/0xa40 C\u00f3digo: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 00000000000000002 RD X: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 00000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b 80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2 b4003 CR4 : 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 00000000000000000 DR6: 00000000fffe0ff0 DR7: 000000 0000000400 Rastreo de llamadas: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs]? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+ 0x33/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 C\u00f3digo : 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c 3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 000000000000000001 R09: 00007fff26278d5c R10: 0 000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 M\u00f3dulos vinculados en: btrfs dm_zero dm_snapshot dm _thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- Los pasos que conducen a este bloqueo son los siguientes: 1) Estamos en la transacci\u00f3n N; 2) Tenemos dos tareas con un identificador de transacci\u00f3n adjunto a la transacci\u00f3n N. Tarea A y Tarea B. La tarea B est\u00e1 realizando una sincronizaci\u00f3n f; 3) La tarea B est\u00e1 en btrfs_sync_log() y ha guardado fs_info-\u0026gt;log_root_tree en una variable local llamada \u0027log_root_tree\u0027 en la parte superior de btrfs_sync_log().---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.