From 114f0c3a79127252b0c11f2c9004388a8b89c07d Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Fri, 12 Oct 2018 08:10:15 +0200 Subject: btrfs: CVE-2018-14609 btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized References: https://patchwork.kernel.org/patch/10500521/ Change-Id: Ia40f64a8248f2062c6feeae5238b43f537bd23b5 Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 3 + ...ation-Only-remove-reloc-rb_trees-if-reloc.patch | 67 ++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 patches/cve/CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index eef4955..d730f9d 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -12,3 +12,6 @@ patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch #CVEs fixed in 4.9.125: patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch + +#CVEs fixed in 4.9.127: +patch CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch \ No newline at end of file diff --git a/patches/cve/CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch b/patches/cve/CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch new file mode 100644 index 0000000..44bf010 --- /dev/null +++ b/patches/cve/CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch @@ -0,0 +1,67 @@ +From 389305b2aa68723c754f88d9dbd268a400e10664 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 3 Jul 2018 17:10:07 +0800 +Subject: [PATCH] btrfs: relocation: Only remove reloc rb_trees if reloc + control has been initialized + +Invalid reloc tree can cause kernel NULL pointer dereference when btrfs +does some cleanup of the reloc roots. + +It turns out that fs_info::reloc_ctl can be NULL in +btrfs_recover_relocation() as we allocate relocation control after all +reloc roots have been verified. +So when we hit: note, we haven't called set_reloc_control() thus +fs_info::reloc_ctl is still NULL. + +CVE: CVE-2018-14609 +Upstream-Status: Backport + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Tested-by: Gu Jinxiang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Andreas Wellving +--- + fs/btrfs/relocation.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 229f721..b98d7a5 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1281,18 +1281,19 @@ static void __del_reloc_root(struct btrfs_root *root) + struct mapping_node *node = NULL; + struct reloc_control *rc = fs_info->reloc_ctl; + +- spin_lock(&rc->reloc_root_tree.lock); +- rb_node = tree_search(&rc->reloc_root_tree.rb_root, +- root->node->start); +- if (rb_node) { +- node = rb_entry(rb_node, struct mapping_node, rb_node); +- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); ++ if (rc) { ++ spin_lock(&rc->reloc_root_tree.lock); ++ rb_node = tree_search(&rc->reloc_root_tree.rb_root, ++ root->node->start); ++ if (rb_node) { ++ node = rb_entry(rb_node, struct mapping_node, rb_node); ++ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); ++ } ++ spin_unlock(&rc->reloc_root_tree.lock); ++ if (!node) ++ return; ++ BUG_ON((struct btrfs_root *)node->data != root); + } +- spin_unlock(&rc->reloc_root_tree.lock); +- +- if (!node) +- return; +- BUG_ON((struct btrfs_root *)node->data != root); + + spin_lock(&fs_info->trans_lock); + list_del_init(&root->root_list); +-- +2.7.4 + -- cgit v1.2.3-54-g00ecf