linux: btrfs: fix NULL pointer dereference when deleting device by invalid id

Bug #1945987 reported by Tim Gardner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-azure (Ubuntu)
Invalid
Undecided
Unassigned
Focal
In Progress
Medium
Tim Gardner
linux-azure-5.8 (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Medium
Tim Gardner
linux-hwe-5.8 (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Committed
Medium
Tim Gardner

Bug Description

[BUG]
It's easy to trigger NULL pointer dereference, just by removing a
non-existing device id:

 # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
         /dev/test/scratch2
 # mount /dev/test/scratch1 /mnt/btrfs
 # btrfs device remove 3 /mnt/btrfs

Then we have the following kernel NULL pointer dereference:

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
 RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
  btrfs_ioctl+0x18bb/0x3190 [btrfs]
  ? lock_is_held_type+0xa5/0x120
  ? find_held_lock.constprop.0+0x2b/0x80
  ? do_user_addr_fault+0x201/0x6a0
  ? lock_release+0xd2/0x2d0
  ? __x64_sys_ioctl+0x83/0xb0
  __x64_sys_ioctl+0x83/0xb0
  do_syscall_64+0x3b/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

[CAUSE]
Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
btrfs_device directly") moves the "missing" device path check into
btrfs_rm_device().

But btrfs_rm_device() itself can have case where it only receives
@devid, with NULL as @device_path.

In that case, calling strcmp() on NULL will trigger the NULL pointer
dereference.

Before that commit, we handle the "missing" case inside
btrfs_find_device_by_devspec(), which will not check @device_path at all
if @devid is provided, thus no way to trigger the bug.

[FIX]
Before calling strcmp(), also make sure @device_path is not NULL.

Tim Gardner (timg-tpi)
Changed in linux-hwe-5.8 (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
Changed in linux-hwe-5.8 (Ubuntu):
status: New → Invalid
Tim Gardner (timg-tpi)
Changed in linux-azure-5.8 (Ubuntu Focal):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tim Gardner (timg-tpi)
Changed in linux-azure-5.8 (Ubuntu):
status: New → Invalid
Tim Gardner (timg-tpi)
Changed in linux-azure (Ubuntu Focal):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tim Gardner (timg-tpi)
Changed in linux-azure (Ubuntu):
status: New → Invalid
Stefan Bader (smb)
Changed in linux-hwe-5.8 (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-5.8/5.8.0-66.74 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Tim Gardner (timg-tpi)
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.2 KiB)

This bug was fixed in the package linux-azure-5.8 - 5.8.0-1043.46~20.04.1

---------------
linux-azure-5.8 (5.8.0-1043.46~20.04.1) focal; urgency=medium

  * focal/linux-azure-5.8: 5.8.0-1043.46~20.04.1 -proposed tracker
    (LP: #1944902)

  * Support builtin revoked certificates (LP: #1932029)
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

  [ Ubuntu: 5.8.0-66.74 ]

  * focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903)
  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.27)
  * linux: btrfs: fix NULL pointer dereference when deleting device by invalid
    id (LP: #1945987)
    - btrfs: fix NULL pointer dereference when deleting device by invalid id
  * CVE-2021-38199
    - NFSv4: Initialise connection to the server in nfs4_alloc_client()
  * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707)
    - bnx2x: Fix enabling network interfaces without VFs
  * CVE-2021-3759
    - memcg: enable accounting of ipc resources
  * CVE-2019-19449
    - f2fs: fix wrong total_sections check and fsmeta check
    - f2fs: fix to do sanity check on segment/section count
  * Support builtin revoked certificates (LP: #1932029)
    - Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded"
    - integrity: Move import of MokListRT certs to a separate routine
    - integrity: Load certs from the EFI MOK config table
    - certs: Add EFI_CERT_X509_GUID support for dbx entries
    - certs: Move load_system_certificate_list to a common function
    - certs: Add ability to preload revocation certs
    - integrity: Load mokx variables into the blacklist keyring
    - certs: add 'x509_revocation_list' to gitignore
    - SAUCE: Dump stack when X.509 certificates cannot be loaded
    - [Packaging] build canonical-revoked-certs.pem from branch/arch certs
    - [Packaging] Revoke 2012 UEFI signing certificate as built-in
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679)
    - efi: Support for MOK variable config table
    - efi: mokvar-table: fix some issues in new code
    - efi: mokvar: add missing include of asm/early_ioremap.h
    - efi/mokvar: Reserve the table only if it is in boot services data
    - SAUCE: integrity: add informational messages when revoking certs
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679) // CVE-2020-26541 when certificates are revoked via
    MokListXRT.
    - SAUCE: integrity: Load mokx certs from the EFI MOK config table
  * CVE-2020-36311
    - KVM: SVM: Periodically schedule when unregistering regions on destroy
  * CVE-2021-22543
    - KVM: do not allow mapping valid but non-reference-counted pages
  * CVE-2021-3612
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
  * CVE-2021-38207
    - net: ll_temac: Fix TX BD buffer overwrite
  * CVE-2021-40490
    - ext4: fix race writing to an inline_data file while its xattrs are changing
  * LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Pac...

Read more...

Changed in linux-azure-5.8 (Ubuntu Focal):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers