CVE-2024-26944

In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: fix use-after-free in dozonefinish()

Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070.

BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in dozonefinish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007

CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dumpstacklvl+0x5b/0x90 printreport+0xcf/0x670 ? _virtaddrvalid+0x200/0x3e0 kasanreport+0xd8/0x110 ? dozonefinish+0x91a/0xb90 [btrfs] ? dozonefinish+0x91a/0xb90 [btrfs] dozonefinish+0x91a/0xb90 [btrfs] btrfsdeleteunusedbgs+0x5e1/0x1750 [btrfs] ? _pfxbtrfsdeleteunusedbgs+0x10/0x10 [btrfs] ? btrfsputroot+0x2d/0x220 [btrfs] ? btrfscleanonedeletedsnapshot+0x299/0x430 [btrfs] cleanerkthread+0x21e/0x380 [btrfs] ? _pfxcleanerkthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? _pfxkthread+0x10/0x10 retfromfork+0x31/0x70 ? _pfxkthread+0x10/0x10 retfromforkasm+0x1b/0x30 </TASK>

Allocated by task 3493983: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 _kasankmalloc+0xaa/0xb0 btrfsallocdevice+0xb3/0x4e0 [btrfs] devicelistadd.constprop.0+0x993/0x1630 [btrfs] btrfsscanonedevice+0x219/0x3d0 [btrfs] btrfscontrolioctl+0x26e/0x310 [btrfs] _x64sysioctl+0x134/0x1b0 dosyscall64+0x99/0x190 entrySYSCALL64afterhwframe+0x6e/0x76

Freed by task 3494056: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3f/0x60 poisonslabobject+0x102/0x170 _kasanslabfree+0x32/0x70 kfree+0x11b/0x320 btrfsrmdevreplacefreesrcdev+0xca/0x280 [btrfs] btrfsdevreplacefinishing+0xd7e/0x14f0 [btrfs] btrfsdevreplacebyioctl+0x1286/0x25a0 [btrfs] btrfsioctl+0xb27/0x57d0 [btrfs] _x64sysioctl+0x134/0x1b0 dosyscall64+0x99/0x190 entrySYSCALL64afterhwframe+0x6e/0x76

The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)

The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entiremapcount:0 nrpagesmapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) pagetype: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

This UAF happens because we're accessing stale zone information of a already removed btrfsdevice in dozone_finish().

The sequence of events is as follows:

btrfsdevreplacestart btrfsscrubdev btrfsdevreplacefinishing btrfsdevreplaceupdatedeviceinmappingtree <-- devices replaced btrfsrmdevreplacefreesrcdev btrfsfreedevice <-- device freed

cleanerkthread btrfsdeleteunusedbgs btrfszonefinish dozonefinish <-- refers the freed device

The reason for this is that we're using a ---truncated---