Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operationsCreate subvolume, create snapshot and delete subvolume all usebtrfs_subvolume_reserve_metadata() to reserve metadata for the changesdone to the parent subvolume's fs tree, which cannot be mediated in thenormal way via start_transaction. When quota groups (squota or qgroups)are enabled, this reserves qgroup metadata of type PREALLOC. Once theoperation is associated to a transaction, we convert PREALLOC toPERTRANS, which gets cleared in bulk at the end of the transaction.However, the error paths of these three operations were not implementingthis lifecycle correctly. They unconditionally converted the PREALLOC toPERTRANS in a generic cleanup step regardless of errors or whether theoperation was fully associated to a transaction or not. This resulted inerror paths occasionally converting this rsv to PERTRANS without callingrecord_root_in_trans successfully, which meant that unless that root gotrecorded in the transaction by some other thread, the end of thetransaction would not free that root's PERTRANS, leaking it. Ultimately,this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmountfor the leaked reservation.The fix is to ensure that every qgroup PREALLOC reservation observes thefollowing properties:1. any failure before record_root_in_trans is called successfully results in freeing the PREALLOC reservation.2. after record_root_in_trans, we convert to PERTRANS, and now the transaction owns freeing the reservation.This patch enforces those properties on the three operations. Withoutit, generic/269 with squotas enabled at mkfs time would fail in ~5-10runs on my system. With this patch, it ran successfully 1000 times in arow.
No PoCs from references.
- https://github.com/w4zu/Debian_security