CVE-2024-57976

一、漏洞信息
 漏洞编号：[CVE-2024-57976](https://nvd.nist.gov/vuln/detail/CVE-2024-57976)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：N/A None
  Vector：CVSS：3.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:btrfs: do proper folio cleanup when cow_file_range() failed[BUG]When testing with COW fixup marked as BUG_ON() (this is involved with thenew pin_user_pages*() change, which should not result new out-of-banddirty pages), I hit a crash triggered by the BUG_ON() from hitting COWfixup path.This BUG_ON() happens just after a failed btrfs_run_delalloc_range():  BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28  ------------[ cut here ]------------  kernel BUG at fs/btrfs/extent_io.c:1444!  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP  CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G           OE      6.12.0-rc7-custom+ #86  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]  pc : extent_writepage_io+0x2d4/0x308 [btrfs]  lr : extent_writepage_io+0x2d4/0x308 [btrfs]  Call trace:   extent_writepage_io+0x2d4/0x308 [btrfs]   extent_writepage+0x218/0x330 [btrfs]   extent_write_cache_pages+0x1d4/0x4b0 [btrfs]   btrfs_writepages+0x94/0x150 [btrfs]   do_writepages+0x74/0x190   filemap_fdatawrite_wbc+0x88/0xc8   start_delalloc_inodes+0x180/0x3b0 [btrfs]   btrfs_start_delalloc_roots+0x174/0x280 [btrfs]   shrink_delalloc+0x114/0x280 [btrfs]   flush_space+0x250/0x2f8 [btrfs]   btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]   process_one_work+0x164/0x408   worker_thread+0x25c/0x388   kthread+0x100/0x118   ret_from_fork+0x10/0x20  Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)  ---[ end trace 0000000000000000 ]---[CAUSE]That failure is mostly from cow_file_range(), where we can hit -ENOSPC.Although the -ENOSPC is already a bug related to our space reservationcode, let s just focus on the error handling.For example, we have the following dirty range [0, 64K) of an inode,with 4K sector size and 4K page size:   0        16K        32K       48K       64K   |///////////////////////////////////////|   |#######################################|Where |///| means page are still dirty, and |###| means the extent iotree has EXTENT_DELALLOC flag.- Enter extent_writepage() for page 0- Enter btrfs_run_delalloc_range() for range [0, 64K)- Enter cow_file_range() for range [0, 64K)- Function btrfs_reserve_extent() only reserved one 16K extent  So we created extent map and ordered extent for range [0, 16K)   0        16K        32K       48K       64K   |////////|//////////////////////////////|   |<- OE ->|##############################|   And range [0, 16K) has its delalloc flag cleared.   But since we haven t yet submit any bio, involved 4 pages are still   dirty.- Function btrfs_reserve_extent() returns with -ENOSPC  Now we have to run error cleanup, which will clear all  EXTENT_DELALLOC* flags and clear the dirty flags for the remaining  ranges:   0        16K        32K       48K       64K   |////////|                              |   |        |                              |  Note that range [0, 16K) still has its pages dirty.- Some time later, writeback is triggered again for the range [0, 16K)  since the page range still has dirty flags.- btrfs_run_delalloc_range() will do nothing because there is no  EXTENT_DELALLOC flag.- extent_writepage_io() finds page 0 has no ordered flag  Which falls into the COW fixup path, triggering the BUG_ON().Unfortunately this error handling bug dates back to the introduction ofbtrfs.  Thankfully with the abuse of COW fixup, at least it won t crashthe kernel.[FIX]Instead of immediately unlocking the extent and folios, we keep the extentand folios locked until either erroring out or the whole delalloc rangefinished.When the whole delalloc range finished without error, we just unlock thewhole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_lockedcases)---truncated---
 漏洞公开时间：2025-02-27 10:15:10
 漏洞创建时间：2025-02-27 11:35:05
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-57976
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/06f364284794f149d2abc167c11d556cf20c954b |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/692cf71173bb41395c855acbbbe197d3aedfa5d4 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-57976 | https://bugzilla.suse.com/show_bug.cgi?id=1239100 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-57976 | https://bugzilla.suse.com/show_bug.cgi?id=1239100 |
| suse_bugzilla | https://git.kernel.org/stable/c/06f364284794f149d2abc167c11d556cf20c954b | https://bugzilla.suse.com/show_bug.cgi?id=1239100 |
| suse_bugzilla | https://git.kernel.org/stable/c/692cf71173bb41395c855acbbbe197d3aedfa5d4 | https://bugzilla.suse.com/show_bug.cgi?id=1239100 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-57976.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1239100 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2348637 | https://bugzilla.suse.com/show_bug.cgi?id=1239100 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2025022633-CVE-2024-57976-10f5@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2348637 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-57976 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux_kernel | 6.13.2 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=692cf71173bb41395c855acbbbe197d3aedfa5d4Fixed |  | linuxkernelcves |
| linux_kernel | 6.14-rc1 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=06f364284794f149d2abc167c11d556cf20c954bPlease |  | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:btrfs: do proper folio cleanup when cow_file_range() failed[BUG]When testing with COW fixup marked as BUG_ON() (this is involved with thenew pin_user_pages*() change, which should not result new out-of-banddirty pages), I hit a crash triggered by the BUG_ON() from hitting COWfixup path.This BUG_ON() happens just after a failed btrfs_run_delalloc_range():  BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28  ------------[ cut here ]------------  kernel BUG at fs/btrfs/extent_io.c:1444!  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP  CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G           OE      6.12.0-rc7-custom+ #86  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]  pc : extent_writepage_io+0x2d4/0x308 [btrfs]  lr : extent_writepage_io+0x2d4/0x308 [btrfs]  Call trace:   extent_writepage_io+0x2d4/0x308 [btrfs]   extent_writepage+0x218/0x330 [btrfs]   extent_write_cache_pages+0x1d4/0x4b0 [btrfs]   btrfs_writepages+0x94/0x150 [btrfs]   do_writepages+0x74/0x190   filemap_fdatawrite_wbc+0x88/0xc8   start_delalloc_inodes+0x180/0x3b0 [btrfs]   btrfs_start_delalloc_roots+0x174/0x280 [btrfs]   shrink_delalloc+0x114/0x280 [btrfs]   flush_space+0x250/0x2f8 [btrfs]   btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]   process_one_work+0x164/0x408   worker_thread+0x25c/0x388   kthread+0x100/0x118   ret_from_fork+0x10/0x20  Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)  ---[ end trace 0000000000000000 ]---[CAUSE]That failure is mostly from cow_file_range(), where we can hit -ENOSPC.Although the -ENOSPC is already a bug related to our space reservationcode, let&#39;s just focus on the error handling.For example, we have the following dirty range [0, 64K) of an inode,with 4K sector size and 4K page size:   0        16K        32K       48K       64K   |///////////////////////////////////////|   |#######################################|Where |///| means page are still dirty, and |###| means the extent iotree has EXTENT_DELALLOC flag.- Enter extent_writepage() for page 0- Enter btrfs_run_delalloc_range() for range [0, 64K)- Enter cow_file_range() for range [0, 64K)- Function btrfs_reserve_extent() only reserved one 16K extent  So we created extent map and ordered extent for range [0, 16K)   0        16K        32K       48K       64K   |////////|//////////////////////////////|   |&lt;- OE -&gt;|##############################|   And range [0, 16K) has its delalloc flag cleared.   But since we haven&#39;t yet submit any bio, involved 4 pages are still   dirty.- Function btrfs_reserve_extent() returns with -ENOSPC  Now we have to run error cleanup, which will clear all  EXTENT_DELALLOC* flags and clear the dirty flags for the remaining  ranges:   0        16K        32K       48K       64K   |////////|                              |   |        |                              |  Note that range [0, 16K) still has its pages dirty.- Some time later, writeback is triggered again for the range [0, 16K)  since the page range still has dirty flags.- btrfs_run_delalloc_range() will do nothing because there is no  EXTENT_DELALLOC flag.- extent_writepage_io() finds page 0 has no ordered flag  Which falls into the COW fixup path, triggering the BUG_ON().Unfortunately this error handling bug dates back to the introduction ofbtrfs.  Thankfully with the abuse of COW fixup, at least it won&#39;t crashthe kernel.[FIX]Instead of immediately unlocking the extent and folios, we keep the extentand folios locked until either erroring out or the whole delalloc rangefinished.When the whole delalloc range finished without error, we just unlock thewhole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_lockedcases), with EXTENT_DELALLOC and EXTENT_LOCKED cleared.And the involved folios will be properly submitted, with their dirtyflags cleared during submission.For the error path, it will be a little more comple
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.openEuler-24.03-LTS-SP1(6.6.0):受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响
8.openEuler-24.03-LTS-SP2(6.6.0):

修复是否涉及abi变化(是/否)：
  1.master(6.6.0):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.openEuler-22.03-LTS-SP4(5.10.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):

原因说明：
  1.openEuler-24.03-LTS(6.6.0):暂不修复-暂无解决方案或补丁
2.openEuler-24.03-LTS-SP1(6.6.0):暂不修复-暂无解决方案或补丁
3.openEuler-20.03-LTS-SP4(4.19.90):不修复-超出修复范围
4.openEuler-22.03-LTS-SP3(5.10.0):不修复-超出修复范围
5.openEuler-22.03-LTS-SP4(5.10.0):不修复-超出修复范围
6.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
7.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-SP2(6.6.0):

src-openEuler/kernel

内容风险标识

评论 (11)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-57976

评论 (11)

搜索帮助

src-openEuler/kernel