CVE-2024-38306

{"id": "CVE-2024-38306", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2024-06-25T15:15:13.367", "references": [{"url": "https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-617"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: protect folio::private when attaching extent buffer folios\n\n[BUG]\nSince v6.8 there are rare kernel crashes reported by various people,\nthe common factor is bad page status error messages like this:\n\n BUG: Bad page state in process kswapd0 pfn:d6e840\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\n pfn:0xd6e840\n aops:btree_aops ino:1\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\n page_type: 0xffffffff()\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: non-NULL mapping\n\n[CAUSE]\nCommit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") changes the sequence when allocating a new\nextent buffer.\n\nPreviously we always called grab_extent_buffer() under\nmapping->i_private_lock, to ensure the safety on modification on\nfolio::private (which is a pointer to extent buffer for regular\nsectorsize).\n\nThis can lead to the following race:\n\nThread A is trying to allocate an extent buffer at bytenr X, with 4\n4K pages, meanwhile thread B is trying to release the page at X + 4K\n(the second page of the extent buffer at X).\n\n Thread A | Thread B\n-----------------------------------+-------------------------------------\n | btree_release_folio()\n\t\t\t\t | | This is for the page at X + 4K,\n\t\t\t\t | | Not page X.\n\t\t\t\t | |\nalloc_extent_buffer() | |- release_extent_buffer()\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\n| page at bytenr X (the first | | |\n| page). | | |\n| Which returned -EEXIST. | | |\n| | | |\n|- filemap_lock_folio() | | |\n| Returned the first page locked. | | |\n| | | |\n|- grab_extent_buffer() | | |\n| |- atomic_inc_not_zero() | | |\n| | Returned false | | |\n| |- folio_detach_private() | | |- folio_detach_private() for X\n| |- folio_test_private() | | |- folio_test_private()\n | Returned true | | | Returned true\n |- folio_put() | |- folio_put()\n\nNow there are two puts on the same folio at folio X, leading to refcount\nunderflow of the folio X, and eventually causing the BUG_ON() on the\npage->mapping.\n\nThe condition is not that easy to hit:\n\n- The release must be triggered for the middle page of an eb\n If the release is on the same first page of an eb, page lock would kick\n in and prevent the race.\n\n- folio_detach_private() has a very small race window\n It's only between folio_test_private() and folio_clear_private().\n\nThat's exactly when mapping->i_private_lock is used to prevent such race,\nand commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") screwed that up.\n\nAt that time, I thought the page lock would kick in as\nfilemap_release_folio() also requires the page to be locked, but forgot\nthe filemap_release_folio() only locks one page, not all pages of an\nextent buffer.\n\n[FIX]\nMove all the code requiring i_private_lock into\nattach_eb_folio_to_filemap(), so that everything is done with proper\nlock protection.\n\nFurthermore to prevent future problems, add an extra\nlockdep_assert_locked() to ensure we're holding the proper lock.\n\nTo reproducer that is able to hit the race (takes a few minutes with\ninstrumented code inserting delays to alloc_extent_buffer()):\n\n #!/bin/sh\n drop_caches () {\n\t while(true); do\n\t\t echo 3 > /proc/sys/vm/drop_caches\n\t\t echo 1 > /proc/sys/vm/compact_memory\n\t done\n }\n\n run_tar () {\n\t while(true); do\n\t\t for x in `seq 1 80` ; do\n\t\t\t tar cf /dev/zero /mnt > /dev/null &\n\t\t done\n\t\t wait\n\t done\n }\n\n mkfs.btrfs -f -d single -m single\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: proteger folio::privado al adjuntar folios de b\u00fafer de extensi\u00f3n [ERROR] Desde la versi\u00f3n 6.8, varias personas reportan fallas raras del kernel, el factor com\u00fan son mensajes de error de estado incorrecto de la p\u00e1gina as\u00ed: ERROR: Estado incorrecto de la p\u00e1gina en el proceso kswapd0 pfn:d6e840 p\u00e1gina: refcount:0 mapcount:0 mapeo:000000007512f4f2 index:0x2796c2c7c pfn:0xd6e840 aops:btree_aops ino:1 flags: 0x17ffffe0000008(uptodate|node=0|zone= 2 |lastcpupid=0x3fffff) tipo de p\u00e1gina: 0xffffffff() raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0 raw: 00000002796c2c7c 0000000000000000 0000 0000ffffffff 0000000000000000 p\u00e1gina volcada porque: mapeo no NULL [CAUSA] Commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() para asignar el m\u00e9todo luego adjuntar \") cambia la secuencia al asignar un nuevo b\u00fafer de extensi\u00f3n. Anteriormente siempre llam\u00e1bamos a grab_extent_buffer() en mapeo->i_private_lock, para garantizar la seguridad en la modificaci\u00f3n en folio::private (que es un puntero al b\u00fafer de extensi\u00f3n para el tama\u00f1o de sector normal). Esto puede llevar a la siguiente ejecuci\u00f3n: el subproceso A est\u00e1 intentando asignar un b\u00fafer de extensi\u00f3n en el bytenr X, con 4 p\u00e1ginas de 4K, mientras que el subproceso B est\u00e1 intentando liberar la p\u00e1gina en X + 4K (la segunda p\u00e1gina del b\u00fafer de extensi\u00f3n en X) . Hilo A | Hilo B -----------------------------------+------------ ------------------------- | btree_release_folio() | | Esto es para la p\u00e1gina en X + 4K, | | No la p\u00e1gina X. | | alloc_extent_buffer() | |- release_extent_buffer() |- filemap_add_folio() para el | | |- atomic_dec_and_test(eb->refs) | p\u00e1gina en bytenr X (la primera | | | | p\u00e1gina). | | | | Que devolvi\u00f3 -EEXIST. | | | | | | | |- filemap_lock_folio() | | | | Devolvi\u00f3 la primera p\u00e1gina bloqueada. | | | | | | | |- grab_extent_buffer() | | | | |- atomic_inc_not_zero() | | | | | Devuelto falso | | | | |- folio_detach_private() | | |- folio_detach_private() para X | |- folio_test_private() | | |- folio_test_private() | Devuelto verdadero | | | Devuelto verdadero |- folio_put() | |- folio_put() Ahora hay dos opciones de venta en el mismo folio en el folio X, lo que provoca un recuento insuficiente del folio X y, finalmente, provoca el error BUG_ON() en la p\u00e1gina->mapeo. La condici\u00f3n no es tan f\u00e1cil de cumplir: - La publicaci\u00f3n debe activarse para la p\u00e1gina intermedia de un eb. Si la publicaci\u00f3n est\u00e1 en la misma primera p\u00e1gina de un eb, el bloqueo de p\u00e1gina se activar\u00eda e impedir\u00eda la ejecuci\u00f3n. - folio_detach_private() tiene una ventana de ejecuci\u00f3n muy peque\u00f1a. Es solo entre folio_test_private() y folio_clear_private(). Eso es exactamente cuando se usa mapeo->i_private_lock para evitar dicha ejecuci\u00f3n, y la confirmaci\u00f3n 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() para asignar-luego-adjuntar m\u00e9todo\") arruin\u00f3 eso. En ese momento, pens\u00e9 que el bloqueo de p\u00e1gina se activar\u00eda ya que filemap_release_folio() tambi\u00e9n requiere que la p\u00e1gina est\u00e9 bloqueada, pero olvid\u00e9 que filemap_release_folio() solo bloquea una p\u00e1gina, no todas las p\u00e1ginas de un b\u00fafer de extensi\u00f3n. [FIX] Mueva todo el c\u00f3digo que requiere i_private_lock a adjunto_eb_folio_to_filemap(), para que todo se haga con la protecci\u00f3n de bloqueo adecuada. Adem\u00e1s, para evitar problemas futuros, agregue un lockdep_assert_locked() adicional para garantizar que mantenemos el bloqueo adecuado. Para el reproductor que puede iniciar la ejecuci\u00f3n (tarda unos minutos con el c\u00f3digo instrumentado insertando retrasos en alloc_extent_buffer()): #!/bin/sh drop_caches () { while(true); hacer echo 3 > /proc/sys/vm/drop_caches echo 1 > /proc/sys/vm/compact_memory hecho } run_tar () { while(true); hacer para x en `seq 1 80`; hacer tar cf /dev/zero /mnt > /dev/null & hecho esperar hecho } mkfs.btrfs -f -d single -m single ---truncado---"}], "lastModified": "2025-09-17T16:00:46.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B3D6E66-FEFD-4991-BA30-CE0850746435", "versionEndExcluding": "6.9.5", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}