cve-2021-47508
Vulnerability from cvelistv5
Published
2024-05-24 15:01
Modified
2024-09-11 17:33
Severity
Summary
btrfs: free exchange changeset on failures
References
SourceURLTags
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51
Impacted products
VendorProduct
LinuxLinux
LinuxLinux
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.770Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47508",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:35:39.656794Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:22.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/delalloc-space.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca06c5cb1b6d",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "da5e817d9d75",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/delalloc-space.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.8",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: free exchange changeset on failures\n\nFstests runs on my VMs have show several kmemleak reports like the following.\n\n  unreferenced object 0xffff88811ae59080 (size 64):\n    comm \"xfs_io\", pid 12124, jiffies 4294987392 (age 6.368s)\n    hex dump (first 32 bytes):\n      00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00  ................\n      90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff  ................\n    backtrace:\n      [\u003c00000000ac0176d2\u003e] ulist_add_merge+0x60/0x150 [btrfs]\n      [\u003c0000000076e9f312\u003e] set_state_bits+0x86/0xc0 [btrfs]\n      [\u003c0000000014fe73d6\u003e] set_extent_bit+0x270/0x690 [btrfs]\n      [\u003c000000004f675208\u003e] set_record_extent_bits+0x19/0x20 [btrfs]\n      [\u003c00000000b96137b1\u003e] qgroup_reserve_data+0x274/0x310 [btrfs]\n      [\u003c0000000057e9dcbb\u003e] btrfs_check_data_free_space+0x5c/0xa0 [btrfs]\n      [\u003c0000000019c4511d\u003e] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs]\n      [\u003c000000006d37e007\u003e] btrfs_dio_iomap_begin+0x415/0x970 [btrfs]\n      [\u003c00000000fb8a74b8\u003e] iomap_iter+0x161/0x1e0\n      [\u003c0000000071dff6ff\u003e] __iomap_dio_rw+0x1df/0x700\n      [\u003c000000002567ba53\u003e] iomap_dio_rw+0x5/0x20\n      [\u003c0000000072e555f8\u003e] btrfs_file_write_iter+0x290/0x530 [btrfs]\n      [\u003c000000005eb3d845\u003e] new_sync_write+0x106/0x180\n      [\u003c000000003fb505bf\u003e] vfs_write+0x24d/0x2f0\n      [\u003c000000009bb57d37\u003e] __x64_sys_pwrite64+0x69/0xa0\n      [\u003c000000003eba3fdf\u003e] do_syscall_64+0x43/0x90\n\nIn case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata()\nfail the allocated extent_changeset will not be freed.\n\nSo in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space()\nfree the allocated extent_changeset to get rid of the allocated memory.\n\nThe issue currently only happens in the direct IO write path, but only\nafter 65b3c08606e5 (\"btrfs: fix ENOSPC failure when attempting direct IO\nwrite into NOCOW range\"), and also at defrag_one_locked_target(). Every\nother place is always calling extent_changeset_free() even if its call\nto btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has\nfailed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T05:09:11.002Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519"
        },
        {
          "url": "https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51"
        }
      ],
      "title": "btrfs: free exchange changeset on failures",
      "x_generator": {
        "engine": "bippy-a5840b7849dd"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47508",
    "datePublished": "2024-05-24T15:01:54.048Z",
    "dateReserved": "2024-05-22T06:20:56.206Z",
    "dateUpdated": "2024-09-11T17:33:22.299Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47508\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:11.573\",\"lastModified\":\"2024-05-24T18:09:20.027\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: free exchange changeset on failures\\n\\nFstests runs on my VMs have show several kmemleak reports like the following.\\n\\n  unreferenced object 0xffff88811ae59080 (size 64):\\n    comm \\\"xfs_io\\\", pid 12124, jiffies 4294987392 (age 6.368s)\\n    hex dump (first 32 bytes):\\n      00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00  ................\\n      90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff  ................\\n    backtrace:\\n      [\u003c00000000ac0176d2\u003e] ulist_add_merge+0x60/0x150 [btrfs]\\n      [\u003c0000000076e9f312\u003e] set_state_bits+0x86/0xc0 [btrfs]\\n      [\u003c0000000014fe73d6\u003e] set_extent_bit+0x270/0x690 [btrfs]\\n      [\u003c000000004f675208\u003e] set_record_extent_bits+0x19/0x20 [btrfs]\\n      [\u003c00000000b96137b1\u003e] qgroup_reserve_data+0x274/0x310 [btrfs]\\n      [\u003c0000000057e9dcbb\u003e] btrfs_check_data_free_space+0x5c/0xa0 [btrfs]\\n      [\u003c0000000019c4511d\u003e] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs]\\n      [\u003c000000006d37e007\u003e] btrfs_dio_iomap_begin+0x415/0x970 [btrfs]\\n      [\u003c00000000fb8a74b8\u003e] iomap_iter+0x161/0x1e0\\n      [\u003c0000000071dff6ff\u003e] __iomap_dio_rw+0x1df/0x700\\n      [\u003c000000002567ba53\u003e] iomap_dio_rw+0x5/0x20\\n      [\u003c0000000072e555f8\u003e] btrfs_file_write_iter+0x290/0x530 [btrfs]\\n      [\u003c000000005eb3d845\u003e] new_sync_write+0x106/0x180\\n      [\u003c000000003fb505bf\u003e] vfs_write+0x24d/0x2f0\\n      [\u003c000000009bb57d37\u003e] __x64_sys_pwrite64+0x69/0xa0\\n      [\u003c000000003eba3fdf\u003e] do_syscall_64+0x43/0x90\\n\\nIn case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata()\\nfail the allocated extent_changeset will not be freed.\\n\\nSo in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space()\\nfree the allocated extent_changeset to get rid of the allocated memory.\\n\\nThe issue currently only happens in the direct IO write path, but only\\nafter 65b3c08606e5 (\\\"btrfs: fix ENOSPC failure when attempting direct IO\\nwrite into NOCOW range\\\"), and also at defrag_one_locked_target(). Every\\nother place is always calling extent_changeset_free() even if its call\\nto btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has\\nfailed.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: conjunto de cambios de intercambio gratuito en caso de fallas. Las ejecuciones de Fstests en mis VM han mostrado varios informes de kmemleak como el siguiente. objeto sin referencia 0xffff88811ae59080 (tama\u00f1o 64): comm \\\"xfs_io\\\", pid 12124, jiffies 4294987392 (edad 6,368 s) volcado hexadecimal (primeros 32 bytes): 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00... ............. 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................ retroceso: [\u0026lt;00000000ac0176d2 \u0026gt;] ulist_add_merge+0x60/0x150 [btrfs] [\u0026lt;0000000076e9f312\u0026gt;] set_state_bits+0x86/0xc0 [btrfs] [\u0026lt;0000000014fe73d6\u0026gt;] set_extent_bit+0x270/0x690 [btrfs] [\u0026lt;000000004f 675208\u0026gt;] set_record_extent_bits+0x19/0x20 [btrfs] [ \u0026lt;00000000b96137b1\u0026gt;] qgroup_reserve_data+0x274/0x310 [btrfs] [\u0026lt;0000000057e9dcbb\u0026gt;] btrfs_check_data_free_space+0x5c/0xa0 [btrfs] [\u0026lt;0000000019c4511d\u0026gt;] +0x1b/0xa0 [btrfs] [\u0026lt;000000006d37e007\u0026gt;] btrfs_dio_iomap_begin+0x415/0x970 [btrfs ] [\u0026lt;00000000fb8a74b8\u0026gt;] iomap_iter+0x161/0x1e0 [\u0026lt;0000000071dff6ff\u0026gt;] __iomap_dio_rw+0x1df/0x700 [\u0026lt;000000002567ba53\u0026gt;] iomap_dio_rw+0x5/0x20 [\u0026lt;000000 0072e555f8\u0026gt;] btrfs_file_write_iter+0x290/0x530 [btrfs] [\u0026lt;000000005eb3d845\u0026gt;] new_sync_write +0x106/0x180 [\u0026lt;000000003fb505bf\u0026gt;] vfs_write+0x24d/0x2f0 [\u0026lt;000000009bb57d37\u0026gt;] __x64_sys_pwrite64+0x69/0xa0 [\u0026lt;000000003eba3fdf\u0026gt;] 3/0x90 En caso de que brtfs_qgroup_reserve_data() o btrfs_delalloc_reserve_metadata() fallen, el conjunto de cambios asignado no ser\u00e1 liberado. Entonces, en btrfs_check_data_free_space() y btrfs_delalloc_reserve_space() libera el extend_changeset asignado para deshacerte de la memoria asignada. Actualmente, el problema solo ocurre en la ruta de escritura de IO directa, pero solo despu\u00e9s de 65b3c08606e5 (\\\"btrfs: corrige la falla de ENOSPC al intentar escribir IO directa en el rango NOCOW\\\"), y tambi\u00e9n en defrag_one_locked_target(). Todos los dem\u00e1s lugares siempre llaman a extend_changeset_free() incluso si su llamada a btrfs_delalloc_reserve_space() o btrfs_check_data_free_space() ha fallado.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ca06c5cb1b6dbfe67655b33c02fc394d65824519\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/da5e817d9d75422eaaa05490d0b9a5e328fc1a51\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.