CVE-2024-57975

一、漏洞信息
 漏洞编号：[CVE-2024-57975](https://nvd.nist.gov/vuln/detail/CVE-2024-57975)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：N/A None
  Vector：CVSS：3.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:btrfs: do proper folio cleanup when run_delalloc_nocow() failed[BUG]With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crashwith the following VM_BUG_ON_FOLIO():  BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28  BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28  page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664  aops:btrfs_aops [btrfs] ino:101 dentry name(?): f1774   flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)  page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))  ------------[ cut here ]------------  kernel BUG at mm/page-writeback.c:2992!  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP  CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G           OE      6.12.0-rc7-custom+ #87  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]  pc : folio_clear_dirty_for_io+0x128/0x258  lr : folio_clear_dirty_for_io+0x128/0x258  Call trace:   folio_clear_dirty_for_io+0x128/0x258   btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]   __process_folios_contig+0x154/0x268 [btrfs]   extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]   run_delalloc_nocow+0x5f8/0x760 [btrfs]   btrfs_run_delalloc_range+0xa8/0x220 [btrfs]   writepage_delalloc+0x230/0x4c8 [btrfs]   extent_writepage+0xb8/0x358 [btrfs]   extent_write_cache_pages+0x21c/0x4e8 [btrfs]   btrfs_writepages+0x94/0x150 [btrfs]   do_writepages+0x74/0x190   filemap_fdatawrite_wbc+0x88/0xc8   start_delalloc_inodes+0x178/0x3a8 [btrfs]   btrfs_start_delalloc_roots+0x174/0x280 [btrfs]   shrink_delalloc+0x114/0x280 [btrfs]   flush_space+0x250/0x2f8 [btrfs]   btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]   process_one_work+0x164/0x408   worker_thread+0x25c/0x388   kthread+0x100/0x118   ret_from_fork+0x10/0x20  Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)  ---[ end trace 0000000000000000 ]---[CAUSE]The first two lines of extra debug messages show the problem is causedby the error handling of run_delalloc_nocow().E.g. we have the following dirtied range (4K blocksize 4K page size):    0                 16K                  32K    |//////////////////////////////////////|    |  Pre-allocated  |And the range [0, 16K) has a preallocated extent.- Enter run_delalloc_nocow() for range [0, 16K)  Which found range [0, 16K) is preallocated, can do the proper NOCOW  write.- Enter fallback_to_fow() for range [16K, 32K)  Since the range [16K, 32K) is not backed by preallocated extent, we  have to go COW.- cow_file_range() failed for range [16K, 32K)  So cow_file_range() will do the clean up by clearing folio dirty,  unlock the folios.  Now the folios in range [16K, 32K) is unlocked.- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()  Which is called with PAGE_START_WRITEBACK to start page writeback.  But folios can only be marked writeback when it s properly locked,  thus this triggered the VM_BUG_ON_FOLIO().Furthermore there is another hidden but common bug thatrun_delalloc_nocow() is not clearing the folio dirty flags in its errorhandling path.This is the common bug shared between run_delalloc_nocow() andcow_file_range().[FIX]- Clear folio dirty for range [@start, @cur_offset)  Introduce a helper, cleanup_dirty_folios(), which  will find and lock the folio in the range, clear the dirty flag and  start/end the writeback, with the extra handling for the  @locked_folio.- Introduce a helper to clear folio dirty, start and end writeback- Introduce a helper to record the last failed COW range end  This is to trace which range we should skip, to avoid double  unlocking.- Skip the failed COW range for the e---truncated---
 漏洞公开时间：2025-02-27 10:15:10
 漏洞创建时间：2025-02-27 11:31:28
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-57975
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/2434533f1c963e7317c45880c98287e5bed98325 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c2b47df81c8e20a8e8cd94f0d7df211137ae94ed |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-57975 | https://bugzilla.suse.com/show_bug.cgi?id=1239099 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-57975 | https://bugzilla.suse.com/show_bug.cgi?id=1239099 |
| suse_bugzilla | https://git.kernel.org/stable/c/2434533f1c963e7317c45880c98287e5bed98325 | https://bugzilla.suse.com/show_bug.cgi?id=1239099 |
| suse_bugzilla | https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296 | https://bugzilla.suse.com/show_bug.cgi?id=1239099 |
| suse_bugzilla | https://git.kernel.org/stable/c/c2b47df81c8e20a8e8cd94f0d7df211137ae94ed | https://bugzilla.suse.com/show_bug.cgi?id=1239099 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-57975.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1239099 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2348586 | https://bugzilla.suse.com/show_bug.cgi?id=1239099 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2025022633-CVE-2024-57975-e1c7@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2348586 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-57975 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux_kernel | 6.12.13 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5ae72abbf91eb172ce3a838a4dc34be3c9707296Fixed |  | linuxkernelcves |
| linux_kernel | 6.13.2 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2434533f1c963e7317c45880c98287e5bed98325Fixed |  | linuxkernelcves |
| linux_kernel | 6.14-rc1 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c2b47df81c8e20a8e8cd94f0d7df211137ae94edPlease |  | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:btrfs: do proper folio cleanup when run_delalloc_nocow() failed[BUG]  With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash  with the following VM_BUG_ON_FOLIO():BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28  BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28  page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664  aops:btrfs_aops [btrfs] ino:101 dentry name(?): f1774   flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)  page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))  ------------[ cut here ]------------  kernel BUG at mm/page-writeback.c:2992!  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP  CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]  pc : folio_clear_dirty_for_io+0x128/0x258  lr : folio_clear_dirty_for_io+0x128/0x258  Call trace:  folio_clear_dirty_for_io+0x128/0x258  btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]  __process_folios_contig+0x154/0x268 [btrfs]  extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]  run_delalloc_nocow+0x5f8/0x760 [btrfs]  btrfs_run_delalloc_range+0xa8/0x220 [btrfs]  writepage_delalloc+0x230/0x4c8 [btrfs]  extent_writepage+0xb8/0x358 [btrfs]  extent_write_cache_pages+0x21c/0x4e8 [btrfs]  btrfs_writepages+0x94/0x150 [btrfs]  do_writepages+0x74/0x190  filemap_fdatawrite_wbc+0x88/0xc8  start_delalloc_inodes+0x178/0x3a8 [btrfs]  btrfs_start_delalloc_roots+0x174/0x280 [btrfs]  shrink_delalloc+0x114/0x280 [btrfs]  flush_space+0x250/0x2f8 [btrfs]  btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]  process_one_work+0x164/0x408  worker_thread+0x25c/0x388  kthread+0x100/0x118  ret_from_fork+0x10/0x20  Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)  ---[ end trace 0000000000000000 ]---[CAUSE]  The first two lines of extra debug messages show the problem is caused  by the error handling of run_delalloc_nocow().E.g. we have the following dirtied range (4K blocksize 4K page size):```0                 16K                  32K|//////////////////////////////////////||  Pre-allocated  |```And the range [0, 16K) has a preallocated extent.- Enter run_delalloc_nocow() for range [0, 16K)      Which found range [0, 16K) is preallocated, can do the proper NOCOW      write.    - Enter fallback_to_fow() for range [16K, 32K)      Since the range [16K, 32K) is not backed by preallocated extent, we      have to go COW.    - cow_file_range() failed for range [16K, 32K)      So cow_file_range() will do the clean up by clearing folio dirty,      unlock the folios.        Now the folios in range [16K, 32K) is unlocked.    - Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()      Which is called with PAGE_START_WRITEBACK to start page writeback.      But folios can only be marked writeback when it_x27;s properly locked,      thus this triggered the VM_BUG_ON_FOLIO().    Furthermore there is another hidden but common bug that  run_delalloc_nocow() is not clearing the folio dirty flags in its error  handling path.  This is the common bug shared between run_delalloc_nocow() and  cow_file_range().[FIX]- Clear folio dirty for range [@start, @cur_offset)      Introduce a helper, cleanup_dirty_folios(), which      will find and lock the folio in the range, clear the dirty flag and      start/end the writeback, with the extra handling for the      @locked_folio.    - Introduce a helper to clear folio dirty, start and end writeback    - Introduce a helper to record the last failed COW range end      This is to trace which range we should skip, to avoid double      unlocking.    - Skip the failed COW range for the e
 openEuler评分：
  3.9
 Vector：CVSS：3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.openEuler-24.03-LTS-SP1(6.6.0):受影响
6.openEuler-24.03-LTS-SP2(6.6.0):受影响
7.master(6.6.0):不受影响
8.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP3(5.10.0):否
3.master(6.6.0):否
4.openEuler-24.03-LTS(6.6.0):否
5.openEuler-24.03-LTS-Next(6.6.0):否
6.openEuler-22.03-LTS-SP4(5.10.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):否

原因说明：
  1.openEuler-24.03-LTS(6.6.0):暂不修复-暂无解决方案或补丁
2.openEuler-24.03-LTS-SP1(6.6.0):暂不修复-暂无解决方案或补丁
3.openEuler-24.03-LTS-SP2(6.6.0):暂不修复-暂无解决方案或补丁
4.openEuler-20.03-LTS-SP4(4.19.90):不修复-超出修复范围
5.openEuler-22.03-LTS-SP3(5.10.0):不修复-超出修复范围
6.openEuler-22.03-LTS-SP4(5.10.0):不修复-超出修复范围
7.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发

src-openEuler/kernel

内容风险标识

评论 (15)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-57975

评论 (15)

搜索帮助

src-openEuler/kernel