In the Linux kernel, the following vulnerability has been resolved: btrfs:
don’t abort filesystem when attempting to snapshot deleted subvolume If the
source file descriptor to the snapshot ioctl refers to a deleted subvolume,
we get the following abort: BTRFS: Transaction aborted (error -2) WARNING:
CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875
create_pending_snapshot+0x1040/0x1190 [btrfs] Modules linked in: pata_acpi
btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover
virtio_rng failover scsi_common rng_core raid6_pq libcrc32c CPU: 0 PID: 833
Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2 Hardware name: QEMU Standard
PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 RIP:
0010:create_pending_snapshot+0x1040/0x1190 [btrfs] RSP:
0018:ffffa09c01337af8 EFLAGS: 00010282 RAX: 0000000000000000 RBX:
ffff9982053e7c78 RCX: 0000000000000027 RDX: ffff99827dc20848 RSI:
0000000000000001 RDI: ffff99827dc20840 RBP: ffffa09c01337c00 R08:
0000000000000000 R09: ffffa09c01337998 R10: 0000000000000003 R11:
ffffffffb96da248 R12: fffffffffffffffe R13: ffff99820535bb28 R14:
ffff99820b7bd000 R15: ffff99820381ea80 FS: 00007fe20aadabc0(0000)
GS:ffff99827dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000
CR0: 0000000080050033 CR2: 0000559a120b502f CR3: 00000000055b6000 CR4:
00000000000006f0 Call Trace: <TASK> ? create_pending_snapshot+0x1040/0x1190
[btrfs] ? __warn+0x81/0x130 ? create_pending_snapshot+0x1040/0x1190 [btrfs]
? report_bug+0x171/0x1a0 ? handle_bug+0x3a/0x70 ? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20 ? create_pending_snapshot+0x1040/0x1190
[btrfs] ? create_pending_snapshot+0x1040/0x1190 [btrfs]
create_pending_snapshots+0x92/0xc0 [btrfs]
btrfs_commit_transaction+0x66b/0xf40 [btrfs] btrfs_mksubvol+0x301/0x4d0
[btrfs] btrfs_mksnapshot+0x80/0xb0 [btrfs]
__btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]
btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs] btrfs_ioctl+0x8a6/0x2650
[btrfs] ? kmem_cache_free+0x22/0x340 ? do_sys_openat2+0x97/0xe0
__x64_sys_ioctl+0x97/0xd0 do_syscall_64+0x46/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe20abe83af RSP:
002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX:
ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af RDX:
00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP:
0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 R10:
0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13:
00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 </TASK> —[
end trace 0000000000000000 ]— BTRFS: error (device vdc: state A) in
create_pending_snapshot:1875: errno=-2 No such entry BTRFS info (device
vdc: state EA): forced readonly BTRFS warning (device vdc: state EA):
Skipping commit of aborted transaction. BTRFS: error (device vdc: state EA)
in cleanup_transaction:2055: errno=-2 No such entry This happens because
create_pending_snapshot() initializes the new root item as a copy of the
source root item. This includes the refs field, which is 0 for a deleted
subvolume. The call to btrfs_insert_root() therefore inserts a root with
refs == 0. btrfs_get_new_fs_root() then finds the root and returns -ENOENT
if refs == 0, which causes create_pending_snapshot() to abort. Fix it by
checking the source root’s refs before attempting the snapshot, but after
locking subvol_sem to avoid racing with deletion.
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-106.116 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1061.67 | UNKNOWN |
git.kernel.org/linus/7081929ab2572920e94d70be3d332e5c9f97095a (6.8-rc2)
git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c
git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464
git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b
git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a
git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff
git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256
launchpad.net/bugs/cve/CVE-2024-26644
nvd.nist.gov/vuln/detail/CVE-2024-26644
security-tracker.debian.org/tracker/CVE-2024-26644
ubuntu.com/security/notices/USN-6766-1
ubuntu.com/security/notices/USN-6766-2
ubuntu.com/security/notices/USN-6766-3
ubuntu.com/security/notices/USN-6795-1
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6828-1
www.cve.org/CVERecord?id=CVE-2024-26644