CVE-2021-46958
Vulnerability from cvelistv5
Published
2024-02-27 18:46
Modified
2024-11-04 11:56
Severity ?
EPSS score ?
Summary
btrfs: fix race between transaction aborts and fsyncs leading to use-after-free
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.988Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-46958", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-15T19:27:46.078537Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-15T19:28:05.836Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/transaction.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a4794be7b00b", "status": "affected", "version": "ef67963dac25", "versionType": "git" }, { "lessThan": "633f7f216663", "status": "affected", "version": "ef67963dac25", "versionType": "git" }, { "lessThan": "e2da98788369", "status": "affected", "version": "ef67963dac25", "versionType": "git" }, { "lessThan": "061dde824535", "status": "affected", "version": "ef67963dac25", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/transaction.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.7" }, { "lessThan": "5.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.36", "versionType": "semver" }, { "lessThanOrEqual": "5.11.*", "status": "unaffected", "version": "5.11.20", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\n\nThere is a race between a task aborting a transaction during a commit,\na task doing an fsync and the transaction kthread, which leads to an\nuse-after-free of the log root tree. When this happens, it results in a\nstack trace like the following:\n\n BTRFS info (device dm-0): forced readonly\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\n BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\n BTRFS error (device dm-0): error writing primary super block to device 1\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\n BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\n BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\n general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__mutex_lock+0x139/0xa40\n Code: c0 74 19 (...)\n RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\n RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\n RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\n R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\n FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n btrfs_sync_log+0x7c1/0xf20 [btrfs]\n btrfs_sync_file+0x40c/0x580 [btrfs]\n do_fsync+0x38/0x70\n __x64_sys_fsync+0x10/0x20\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fa9142a55c3\n Code: 8b 15 09 (...)\n RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\n RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\n RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\n RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\n R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\n Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\n ---[ end trace ee2f1b19327d791d ]---\n\nThe steps that lead to this crash are the following:\n\n1) We are at transaction N;\n\n2) We have two tasks with a transaction handle attached to transaction N.\n Task A and Task B. Task B is doing an fsync;\n\n3) Task B is at btrfs_sync_log(), and has saved fs_info-\u003elog_root_tree\n into a local variable named \u0027log_root_tree\u0027 at the top of\n btrfs_sync_log(). Task B is about to call write_all_supers(), but\n before that...\n\n4) Task A calls btrfs_commit_transaction(), and after it sets the\n transaction state to TRANS_STATE_COMMIT_START, an error happens before\n it w\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-11-04T11:56:39.268Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6" }, { "url": "https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c" }, { "url": "https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338" }, { "url": "https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c" } ], "title": "btrfs: fix race between transaction aborts and fsyncs leading to use-after-free", "x_generator": { "engine": "bippy-9e1c9544281a" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46958", "datePublished": "2024-02-27T18:46:59.315Z", "dateReserved": "2024-02-27T18:42:55.939Z", "dateUpdated": "2024-11-04T11:56:39.268Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-46958\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T19:04:06.813\",\"lastModified\":\"2024-02-28T14:06:45.783\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\\n\\nThere is a race between a task aborting a transaction during a commit,\\na task doing an fsync and the transaction kthread, which leads to an\\nuse-after-free of the log root tree. When this happens, it results in a\\nstack trace like the following:\\n\\n BTRFS info (device dm-0): forced readonly\\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\\n BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\\n BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\\n BTRFS error (device dm-0): error writing primary super block to device 1\\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\\n BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\\n BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\\n general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\\n CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n RIP: 0010:__mutex_lock+0x139/0xa40\\n Code: c0 74 19 (...)\\n RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\\n RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\\n RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\\n RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\\n R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\\n R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\\n FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n btrfs_sync_file+0x40c/0x580 [btrfs]\\n do_fsync+0x38/0x70\\n __x64_sys_fsync+0x10/0x20\\n do_syscall_64+0x33/0x80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\\n RIP: 0033:0x7fa9142a55c3\\n Code: 8b 15 09 (...)\\n RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\\n RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\\n RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\\n RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\\n R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\\n Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\\n ---[ end trace ee2f1b19327d791d ]---\\n\\nThe steps that lead to this crash are the following:\\n\\n1) We are at transaction N;\\n\\n2) We have two tasks with a transaction handle attached to transaction N.\\n Task A and Task B. Task B is doing an fsync;\\n\\n3) Task B is at btrfs_sync_log(), and has saved fs_info-\u003elog_root_tree\\n into a local variable named \u0027log_root_tree\u0027 at the top of\\n btrfs_sync_log(). Task B is about to call write_all_supers(), but\\n before that...\\n\\n4) Task A calls btrfs_commit_transaction(), and after it sets the\\n transaction state to TRANS_STATE_COMMIT_START, an error happens before\\n it w\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige la ejecuci\u00f3n entre transacciones abortadas y fsyncs que conducen a use-after-free. Hay una carrera entre una tarea que aborta una transacci\u00f3n durante un commit, una tarea que realiza una fsync y la transacci\u00f3n. kthread, lo que conduce a un use-after-free del \u00e1rbol ra\u00edz del registro. Cuando esto sucede, se genera un seguimiento de pila como el siguiente: Informaci\u00f3n BTRFS (dispositivo dm-0): solo lectura forzada Advertencia BTRFS (dispositivo dm-0): omitir confirmaci\u00f3n de transacci\u00f3n abortada. BTRFS: error (dispositivo dm-0) en cleanup_transaction:1958: errno=-5 falla de IO Advertencia de BTRFS (dispositivo dm-0): escritura de p\u00e1gina perdida debido a un error de IO en /dev/mapper/error-test (-5) BTRFS Advertencia (dispositivo dm-0): omitir confirmaci\u00f3n de transacci\u00f3n abortada. Advertencia BTRFS (dispositivo dm-0): IO directa fall\u00f3 en 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 Error BTRFS (dispositivo dm-0): error al escribir el superbloque primario en el dispositivo 1 Advertencia BTRFS (dispositivo dm-0) : error de IO directo ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 advertencia BTRFS (dispositivo dm-0): error de IO directo ino 261 rw 0,0 sector 0x12e008 len 4096 error no 10 advertencia BTRFS (dispositivo dm-0) : error de IO directo ino 261 rw 0,0 sector 0x12e010 len 4096 error no 10 BTRFS: error (dispositivo dm-0) en write_all_supers:4110: errno=-5 error de IO (1 error al escribir supers) BTRFS: error (dispositivo dm -0) en btrfs_sync_log:3308: errno=-5 Fallo de E/S Fallo de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0- rc5-btrfs-next-84 #1 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 01/04/2014 RIP: 0010:__mutex_lock+ 0x139/0xa40 C\u00f3digo: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 00000000000000002 RD X: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 00000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b 80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2 b4003 CR4 : 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 00000000000000000 DR6: 00000000fffe0ff0 DR7: 000000 0000000400 Rastreo de llamadas: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs]? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+ 0x33/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 C\u00f3digo : 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c 3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 000000000000000001 R09: 00007fff26278d5c R10: 0 000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 M\u00f3dulos vinculados en: btrfs dm_zero dm_snapshot dm _thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- Los pasos que conducen a este bloqueo son los siguientes: 1) Estamos en la transacci\u00f3n N; 2) Tenemos dos tareas con un identificador de transacci\u00f3n adjunto a la transacci\u00f3n N. Tarea A y Tarea B. La tarea B est\u00e1 realizando una sincronizaci\u00f3n f; 3) La tarea B est\u00e1 en btrfs_sync_log() y ha guardado fs_info-\u0026gt;log_root_tree en una variable local llamada \u0027log_root_tree\u0027 en la parte superior de btrfs_sync_log().---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.