CVE-2024-26944

In the Linux kernel, the following vulnerability has been resolved: btrfs:
zoned: fix use-after-free in do_zone_finish() Shinichiro reported the
following use-after-free triggered by the device replace operation in
fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1
with status: 0
================================================================== BUG:
KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of
size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID:
3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name:
Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK>
dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ?
__virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ?
do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs]
do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750
[btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ?
btrfs_put_root+0x2d/0x220 [btrfs] ?
btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]
cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10
[btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983:
kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs]
device_list_add.constprop.0+0x993/0x1630 [btrfs]
btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310
[btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190
entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056:
kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30
kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170
__kasan_slab_free+0x32/0x70 kfree+0x11b/0x320
btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]
btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]
btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0
[btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190
entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the
object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size
1024 The buggy address is located 96 bytes inside of freed 1024-byte region
[ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the
physical page: page:00000000fe2c1285 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285
order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags:
0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type:
0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200
dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff
0000000000000000 page dumped because: kasan: bad access detected Memory
state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF
happens because we’re accessing stale zone information of a already removed
btrfs_device in do_zone_finish(). The sequence of events is as follows:
btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing
btrfs_dev_replace_update_device_in_mapping_tree <– devices replaced
btrfs_rm_dev_replace_free_srcdev btrfs_free_device <– device freed
cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish
<– refers the freed device The reason for this is that we’re using a
—truncated—