CVE-2024-42266

一、漏洞信息
 漏洞编号：[CVE-2024-42266](https://nvd.nist.gov/vuln/detail/CVE-2024-42266)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V2.0分值：
  BaseScore：0.0 None
  Vector：CVSS：2.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:btrfs: make cow_file_range_inline() honor locked_page on errorThe btrfs buffered write path runs through __extent_writepage() whichhas some tricky return value handling for writepage_delalloc().Specifically, when that returns 1, we exit, but for other return valueswe continue and end up calling btrfs_folio_end_all_writers(). If thefolio has been unlocked (note that we check the PageLocked bit at thestart of __extent_writepage()), this results in an assert panic likethis one from syzbot:  BTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno=-5 IO failure  BTRFS warning (device loop0 state EAL): Skipping commit of aborted transaction.  BTRFS: error (device loop0 state EAL) in cleanup_transaction:2018: errno=-5 IO failure  assertion failed: folio_test_locked(folio), in fs/btrfs/subpage.c:871  ------------[ cut here ]------------  kernel BUG at fs/btrfs/subpage.c:871!  Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI  CPU: 1 PID: 5090 Comm: syz-executor225 Not tainted  6.10.0-syzkaller-05505-gb1bc554e009e #0  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  Google 06/27/2024  RIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871  Code: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d  0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 <0f> 0b e8  6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89  RSP: 0018:ffffc900033d72e0 EFLAGS: 00010246  RAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00  RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000  RBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc  R10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001  R13: dffffc0000000000 R14: 0000000000000000 R15: ffffea0001cbee80  FS:  0000000000000000(0000) GS:ffff8880b9500000(0000)  knlGS:0000000000000000  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  CR2: 00007f5f076012f8 CR3: 000000000e134000 CR4: 00000000003506f0  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  Call Trace:  <TASK>  __extent_writepage fs/btrfs/extent_io.c:1597 [inline]  extent_write_cache_pages fs/btrfs/extent_io.c:2251 [inline]  btrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373  do_writepages+0x359/0x870 mm/page-writeback.c:2656  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397  __filemap_fdatawrite_range mm/filemap.c:430 [inline]  __filemap_fdatawrite mm/filemap.c:436 [inline]  filemap_flush+0xdf/0x130 mm/filemap.c:463  btrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547  __fput+0x24a/0x8a0 fs/file_table.c:422  task_work_run+0x24f/0x310 kernel/task_work.c:222  exit_task_work include/linux/task_work.h:40 [inline]  do_exit+0xa2f/0x27f0 kernel/exit.c:877  do_group_exit+0x207/0x2c0 kernel/exit.c:1026  __do_sys_exit_group kernel/exit.c:1037 [inline]  __se_sys_exit_group kernel/exit.c:1035 [inline]  __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035  x64_sys_call+0x2634/0x2640  arch/x86/include/generated/asm/syscalls_64.h:232  do_syscall_x64 arch/x86/entry/common.c:52 [inline]  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83  entry_SYSCALL_64_after_hwframe+0x77/0x7f  RIP: 0033:0x7f5f075b70c9  Code: Unable to access opcode bytes at  0x7f5f075b709f.I was hitting the same issue by doing hundreds of accelerated runs ofgeneric/475, which also hits IO errors by design.I instrumented that reproducer with bpftrace and found that theundesirable folio_unlock was coming from the following callstack:  folio_unlock+5  __process_pages_contig+475  cow_file_range_inline.constprop.0+230  cow_file_range+803  btrfs_run_delalloc_range+566  writepage_delalloc+332  __extent_writepage # inlined in my stacktrace, but I added it here  extent_write_cache_pages+622Looking at the bisected-to pa---truncated---
 漏洞公开时间：2024-08-17 17:15:07
 漏洞创建时间：2024-08-18 02:34:00
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-42266
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/061e41581606000a83ce0f0f01d6ad338f3704e9 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/478574370bef7951fbd9ef5155537d6cbed49472 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-42266 | https://bugzilla.suse.com/show_bug.cgi?id=1229384 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-42266 | https://bugzilla.suse.com/show_bug.cgi?id=1229384 |
| suse_bugzilla | https://git.kernel.org/stable/c/061e41581606000a83ce0f0f01d6ad338f3704e9 | https://bugzilla.suse.com/show_bug.cgi?id=1229384 |
| suse_bugzilla | https://git.kernel.org/stable/c/478574370bef7951fbd9ef5155537d6cbed49472 | https://bugzilla.suse.com/show_bug.cgi?id=1229384 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-42266.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1229384 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2024-42266 | https://ubuntu.com/security/CVE-2024-42266 |
| ubuntu | https://git.kernel.org/linus/478574370bef7951fbd9ef5155537d6cbed49472 (6.11-rc2) | https://ubuntu.com/security/CVE-2024-42266 |
| ubuntu | https://git.kernel.org/stable/c/061e41581606000a83ce0f0f01d6ad338f3704e9 | https://ubuntu.com/security/CVE-2024-42266 |
| ubuntu | https://git.kernel.org/stable/c/478574370bef7951fbd9ef5155537d6cbed49472 | https://ubuntu.com/security/CVE-2024-42266 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2024-42266 | https://ubuntu.com/security/CVE-2024-42266 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2024-42266 | https://ubuntu.com/security/CVE-2024-42266 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2024-42266 | https://ubuntu.com/security/CVE-2024-42266 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-42266 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux |  | https://git.kernel.org/linus/478574370bef7951fbd9ef5155537d6cbed49472 | https://git.kernel.org/linus/0586d0a89e77d717da14df42648ace4a9fd67981 | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  Reserved.
 openEuler评分：
  3.9
 Vector：CVSS：3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):不受影响
2.openEuler-22.03-LTS-SP1(5.10.0):不受影响
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.master(6.6.0):不受影响
6.openEuler-24.03-LTS(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

src-openEuler/kernel
Closed

Content Risk Flag

Comments (15)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2024-42266

Comments (15)

Search

src-openEuler/kernel
Closed