Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2024-26726

Description

In the Linux kernel, the following vulnerability has been resolved:btrfs: don't drop extent_map for free space inode on write errorWhile running the CI for an unrelated change I hit the following panicwith generic/648 on btrfs_holes_spacecache.assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385------------[ cut here ]------------kernel BUG at fs/btrfs/extent_io.c:1385!invalid opcode: 0000 [#1] PREEMPT SMP NOPTICPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0Call Trace: extent_write_cache_pages+0x2ac/0x8f0 extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0 filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80 btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560 btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290 btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640 __x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76This happens because we fail to write out the free space cache in oneinstance, come back around and attempt to write it again. However onthe second pass through we go to call btrfs_get_extent() on the inode toget the extent mapping. Because this is a new block group, and with thefree space inode we always search the commit root to avoid deadlockingwith the tree, we find nothing and return a EXTENT_MAP_HOLE for therequested range.This happens because the first time we try to write the space cache outwe hit an error, and on an error we drop the extent mapping. This isnormal for normal files, but the free space cache inode is special. Wealways expect the extent map to be correct. Thus the second timethrough we end up with a bogus extent map.Since we're deprecating this feature, the most straightforward way tofix this is to simply skip dropping the extent map range for this failedrange.I shortened the test by using error injection to stress the area to makeit easier to reproduce. With this patch in place we no longer panicwith my error injection test.

POC

Reference

No PoCs from references.

Github

- https://github.com/fkie-cad/nvd-json-data-feeds