cve-2021-47508
Vulnerability from cvelistv5
Published
2024-05-24 15:01
Modified
2024-12-19 07:43
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: free exchange changeset on failures Fstests runs on my VMs have show several kmemleak reports like the following. unreferenced object 0xffff88811ae59080 (size 64): comm "xfs_io", pid 12124, jiffies 4294987392 (age 6.368s) hex dump (first 32 bytes): 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00 ................ 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................ backtrace: [<00000000ac0176d2>] ulist_add_merge+0x60/0x150 [btrfs] [<0000000076e9f312>] set_state_bits+0x86/0xc0 [btrfs] [<0000000014fe73d6>] set_extent_bit+0x270/0x690 [btrfs] [<000000004f675208>] set_record_extent_bits+0x19/0x20 [btrfs] [<00000000b96137b1>] qgroup_reserve_data+0x274/0x310 [btrfs] [<0000000057e9dcbb>] btrfs_check_data_free_space+0x5c/0xa0 [btrfs] [<0000000019c4511d>] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs] [<000000006d37e007>] btrfs_dio_iomap_begin+0x415/0x970 [btrfs] [<00000000fb8a74b8>] iomap_iter+0x161/0x1e0 [<0000000071dff6ff>] __iomap_dio_rw+0x1df/0x700 [<000000002567ba53>] iomap_dio_rw+0x5/0x20 [<0000000072e555f8>] btrfs_file_write_iter+0x290/0x530 [btrfs] [<000000005eb3d845>] new_sync_write+0x106/0x180 [<000000003fb505bf>] vfs_write+0x24d/0x2f0 [<000000009bb57d37>] __x64_sys_pwrite64+0x69/0xa0 [<000000003eba3fdf>] do_syscall_64+0x43/0x90 In case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata() fail the allocated extent_changeset will not be freed. So in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space() free the allocated extent_changeset to get rid of the allocated memory. The issue currently only happens in the direct IO write path, but only after 65b3c08606e5 ("btrfs: fix ENOSPC failure when attempting direct IO write into NOCOW range"), and also at defrag_one_locked_target(). Every other place is always calling extent_changeset_free() even if its call to btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has failed.
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.770Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47508",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:35:39.656794Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:22.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/delalloc-space.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca06c5cb1b6dbfe67655b33c02fc394d65824519",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "da5e817d9d75422eaaa05490d0b9a5e328fc1a51",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/delalloc-space.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: free exchange changeset on failures\n\nFstests runs on my VMs have show several kmemleak reports like the following.\n\n  unreferenced object 0xffff88811ae59080 (size 64):\n    comm \"xfs_io\", pid 12124, jiffies 4294987392 (age 6.368s)\n    hex dump (first 32 bytes):\n      00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00  ................\n      90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff  ................\n    backtrace:\n      [\u003c00000000ac0176d2\u003e] ulist_add_merge+0x60/0x150 [btrfs]\n      [\u003c0000000076e9f312\u003e] set_state_bits+0x86/0xc0 [btrfs]\n      [\u003c0000000014fe73d6\u003e] set_extent_bit+0x270/0x690 [btrfs]\n      [\u003c000000004f675208\u003e] set_record_extent_bits+0x19/0x20 [btrfs]\n      [\u003c00000000b96137b1\u003e] qgroup_reserve_data+0x274/0x310 [btrfs]\n      [\u003c0000000057e9dcbb\u003e] btrfs_check_data_free_space+0x5c/0xa0 [btrfs]\n      [\u003c0000000019c4511d\u003e] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs]\n      [\u003c000000006d37e007\u003e] btrfs_dio_iomap_begin+0x415/0x970 [btrfs]\n      [\u003c00000000fb8a74b8\u003e] iomap_iter+0x161/0x1e0\n      [\u003c0000000071dff6ff\u003e] __iomap_dio_rw+0x1df/0x700\n      [\u003c000000002567ba53\u003e] iomap_dio_rw+0x5/0x20\n      [\u003c0000000072e555f8\u003e] btrfs_file_write_iter+0x290/0x530 [btrfs]\n      [\u003c000000005eb3d845\u003e] new_sync_write+0x106/0x180\n      [\u003c000000003fb505bf\u003e] vfs_write+0x24d/0x2f0\n      [\u003c000000009bb57d37\u003e] __x64_sys_pwrite64+0x69/0xa0\n      [\u003c000000003eba3fdf\u003e] do_syscall_64+0x43/0x90\n\nIn case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata()\nfail the allocated extent_changeset will not be freed.\n\nSo in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space()\nfree the allocated extent_changeset to get rid of the allocated memory.\n\nThe issue currently only happens in the direct IO write path, but only\nafter 65b3c08606e5 (\"btrfs: fix ENOSPC failure when attempting direct IO\nwrite into NOCOW range\"), and also at defrag_one_locked_target(). Every\nother place is always calling extent_changeset_free() even if its call\nto btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has\nfailed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:43:48.778Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519"
        },
        {
          "url": "https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51"
        }
      ],
      "title": "btrfs: free exchange changeset on failures",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47508",
    "datePublished": "2024-05-24T15:01:54.048Z",
    "dateReserved": "2024-05-22T06:20:56.206Z",
    "dateUpdated": "2024-12-19T07:43:48.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47508\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:11.573\",\"lastModified\":\"2024-11-21T06:36:23.553\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: free exchange changeset on failures\\n\\nFstests runs on my VMs have show several kmemleak reports like the following.\\n\\n  unreferenced object 0xffff88811ae59080 (size 64):\\n    comm \\\"xfs_io\\\", pid 12124, jiffies 4294987392 (age 6.368s)\\n    hex dump (first 32 bytes):\\n      00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00  ................\\n      90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff  ................\\n    backtrace:\\n      [\u003c00000000ac0176d2\u003e] ulist_add_merge+0x60/0x150 [btrfs]\\n      [\u003c0000000076e9f312\u003e] set_state_bits+0x86/0xc0 [btrfs]\\n      [\u003c0000000014fe73d6\u003e] set_extent_bit+0x270/0x690 [btrfs]\\n      [\u003c000000004f675208\u003e] set_record_extent_bits+0x19/0x20 [btrfs]\\n      [\u003c00000000b96137b1\u003e] qgroup_reserve_data+0x274/0x310 [btrfs]\\n      [\u003c0000000057e9dcbb\u003e] btrfs_check_data_free_space+0x5c/0xa0 [btrfs]\\n      [\u003c0000000019c4511d\u003e] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs]\\n      [\u003c000000006d37e007\u003e] btrfs_dio_iomap_begin+0x415/0x970 [btrfs]\\n      [\u003c00000000fb8a74b8\u003e] iomap_iter+0x161/0x1e0\\n      [\u003c0000000071dff6ff\u003e] __iomap_dio_rw+0x1df/0x700\\n      [\u003c000000002567ba53\u003e] iomap_dio_rw+0x5/0x20\\n      [\u003c0000000072e555f8\u003e] btrfs_file_write_iter+0x290/0x530 [btrfs]\\n      [\u003c000000005eb3d845\u003e] new_sync_write+0x106/0x180\\n      [\u003c000000003fb505bf\u003e] vfs_write+0x24d/0x2f0\\n      [\u003c000000009bb57d37\u003e] __x64_sys_pwrite64+0x69/0xa0\\n      [\u003c000000003eba3fdf\u003e] do_syscall_64+0x43/0x90\\n\\nIn case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata()\\nfail the allocated extent_changeset will not be freed.\\n\\nSo in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space()\\nfree the allocated extent_changeset to get rid of the allocated memory.\\n\\nThe issue currently only happens in the direct IO write path, but only\\nafter 65b3c08606e5 (\\\"btrfs: fix ENOSPC failure when attempting direct IO\\nwrite into NOCOW range\\\"), and also at defrag_one_locked_target(). Every\\nother place is always calling extent_changeset_free() even if its call\\nto btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has\\nfailed.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: conjunto de cambios de intercambio gratuito en caso de fallas. Las ejecuciones de Fstests en mis VM han mostrado varios informes de kmemleak como el siguiente. objeto sin referencia 0xffff88811ae59080 (tama\u00f1o 64): comm \\\"xfs_io\\\", pid 12124, jiffies 4294987392 (edad 6,368 s) volcado hexadecimal (primeros 32 bytes): 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00... ............. 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................ retroceso: [\u0026lt;00000000ac0176d2 \u0026gt;] ulist_add_merge+0x60/0x150 [btrfs] [\u0026lt;0000000076e9f312\u0026gt;] set_state_bits+0x86/0xc0 [btrfs] [\u0026lt;0000000014fe73d6\u0026gt;] set_extent_bit+0x270/0x690 [btrfs] [\u0026lt;000000004f 675208\u0026gt;] set_record_extent_bits+0x19/0x20 [btrfs] [ \u0026lt;00000000b96137b1\u0026gt;] qgroup_reserve_data+0x274/0x310 [btrfs] [\u0026lt;0000000057e9dcbb\u0026gt;] btrfs_check_data_free_space+0x5c/0xa0 [btrfs] [\u0026lt;0000000019c4511d\u0026gt;] +0x1b/0xa0 [btrfs] [\u0026lt;000000006d37e007\u0026gt;] btrfs_dio_iomap_begin+0x415/0x970 [btrfs ] [\u0026lt;00000000fb8a74b8\u0026gt;] iomap_iter+0x161/0x1e0 [\u0026lt;0000000071dff6ff\u0026gt;] __iomap_dio_rw+0x1df/0x700 [\u0026lt;000000002567ba53\u0026gt;] iomap_dio_rw+0x5/0x20 [\u0026lt;000000 0072e555f8\u0026gt;] btrfs_file_write_iter+0x290/0x530 [btrfs] [\u0026lt;000000005eb3d845\u0026gt;] new_sync_write +0x106/0x180 [\u0026lt;000000003fb505bf\u0026gt;] vfs_write+0x24d/0x2f0 [\u0026lt;000000009bb57d37\u0026gt;] __x64_sys_pwrite64+0x69/0xa0 [\u0026lt;000000003eba3fdf\u0026gt;] 3/0x90 En caso de que brtfs_qgroup_reserve_data() o btrfs_delalloc_reserve_metadata() fallen, el conjunto de cambios asignado no ser\u00e1 liberado. Entonces, en btrfs_check_data_free_space() y btrfs_delalloc_reserve_space() libera el extend_changeset asignado para deshacerte de la memoria asignada. Actualmente, el problema solo ocurre en la ruta de escritura de IO directa, pero solo despu\u00e9s de 65b3c08606e5 (\\\"btrfs: corrige la falla de ENOSPC al intentar escribir IO directa en el rango NOCOW\\\"), y tambi\u00e9n en defrag_one_locked_target(). Todos los dem\u00e1s lugares siempre llaman a extend_changeset_free() incluso si su llamada a btrfs_delalloc_reserve_space() o btrfs_check_data_free_space() ha fallado.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.