529 lines
32 KiB
XML
529 lines
32 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
||
<DocumentTitle xml:lang="en">An update for kernel is now available for openEuler-22.03-LTS-SP1</DocumentTitle>
|
||
<DocumentType>Security Advisory</DocumentType>
|
||
<DocumentPublisher Type="Vendor">
|
||
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
||
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
||
</DocumentPublisher>
|
||
<DocumentTracking>
|
||
<Identification>
|
||
<ID>openEuler-SA-2024-1299</ID>
|
||
</Identification>
|
||
<Status>Final</Status>
|
||
<Version>1.0</Version>
|
||
<RevisionHistory>
|
||
<Revision>
|
||
<Number>1.0</Number>
|
||
<Date>2024-03-22</Date>
|
||
<Description>Initial</Description>
|
||
</Revision>
|
||
</RevisionHistory>
|
||
<InitialReleaseDate>2024-03-22</InitialReleaseDate>
|
||
<CurrentReleaseDate>2024-03-22</CurrentReleaseDate>
|
||
<Generator>
|
||
<Engine>openEuler SA Tool V1.0</Engine>
|
||
<Date>2024-03-22</Date>
|
||
</Generator>
|
||
</DocumentTracking>
|
||
<DocumentNotes>
|
||
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">kernel security update</Note>
|
||
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for kernel is now available for openEuler-22.03-LTS-SP1.</Note>
|
||
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">The Linux Kernel, the operating system core itself.
|
||
|
||
Security Fix(es):
|
||
|
||
In the Linux kernel, the following vulnerability has been resolved:
|
||
|
||
btrfs: fix deadlock when cloning inline extents and using qgroups
|
||
|
||
There are a few exceptional cases where cloning an inline extent needs to
|
||
copy the inline extent data into a page of the destination inode.
|
||
|
||
When this happens, we end up starting a transaction while having a dirty
|
||
page for the destination inode and while having the range locked in the
|
||
destination's inode iotree too. Because when reserving metadata space
|
||
for a transaction we may need to flush existing delalloc in case there is
|
||
not enough free space, we have a mechanism in place to prevent a deadlock,
|
||
which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when
|
||
cloning inline extent and low on free metadata space").
|
||
|
||
However when using qgroups, a transaction also reserves metadata qgroup
|
||
space, which can also result in flushing delalloc in case there is not
|
||
enough available space at the moment. When this happens we deadlock, since
|
||
flushing delalloc requires locking the file range in the inode's iotree
|
||
and the range was already locked at the very beginning of the clone
|
||
operation, before attempting to start the transaction.
|
||
|
||
When this issue happens, stack traces like the following are reported:
|
||
|
||
[72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000
|
||
[72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)
|
||
[72747.556271] Call Trace:
|
||
[72747.556273] __schedule+0x296/0x760
|
||
[72747.556277] schedule+0x3c/0xa0
|
||
[72747.556279] io_schedule+0x12/0x40
|
||
[72747.556284] __lock_page+0x13c/0x280
|
||
[72747.556287] ? generic_file_readonly_mmap+0x70/0x70
|
||
[72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs]
|
||
[72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160
|
||
[72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]
|
||
[72747.556362] ? update_group_capacity+0x25/0x210
|
||
[72747.556366] ? cpumask_next_and+0x1a/0x20
|
||
[72747.556391] extent_writepages+0x44/0xa0 [btrfs]
|
||
[72747.556394] do_writepages+0x41/0xd0
|
||
[72747.556398] __writeback_single_inode+0x39/0x2a0
|
||
[72747.556403] writeback_sb_inodes+0x1ea/0x440
|
||
[72747.556407] __writeback_inodes_wb+0x5f/0xc0
|
||
[72747.556410] wb_writeback+0x235/0x2b0
|
||
[72747.556414] ? get_nr_inodes+0x35/0x50
|
||
[72747.556417] wb_workfn+0x354/0x490
|
||
[72747.556420] ? newidle_balance+0x2c5/0x3e0
|
||
[72747.556424] process_one_work+0x1aa/0x340
|
||
[72747.556426] worker_thread+0x30/0x390
|
||
[72747.556429] ? create_worker+0x1a0/0x1a0
|
||
[72747.556432] kthread+0x116/0x130
|
||
[72747.556435] ? kthread_park+0x80/0x80
|
||
[72747.556438] ret_from_fork+0x1f/0x30
|
||
|
||
[72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]
|
||
[72747.566961] Call Trace:
|
||
[72747.566964] __schedule+0x296/0x760
|
||
[72747.566968] ? finish_wait+0x80/0x80
|
||
[72747.566970] schedule+0x3c/0xa0
|
||
[72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]
|
||
[72747.566999] ? finish_wait+0x80/0x80
|
||
[72747.567024] lock_extent_bits+0x37/0x90 [btrfs]
|
||
[72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs]
|
||
[72747.567051] ? find_get_pages_range_tag+0x2cd/0x380
|
||
[72747.567076] __extent_writepage+0x203/0x320 [btrfs]
|
||
[72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs]
|
||
[72747.567106] ? update_load_avg+0x7e/0x5f0
|
||
[72747.567109] ? enqueue_entity+0xf4/0x6f0
|
||
[72747.567134] extent_writepages+0x44/0xa0 [btrfs]
|
||
[72747.567137] ? enqueue_task_fair+0x93/0x6f0
|
||
[72747.567140] do_writepages+0x41/0xd0
|
||
[72747.567144] __filemap_fdatawrite_range+0xc7/0x100
|
||
[72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs]
|
||
[72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs]
|
||
[72747.567200] process_one_work+0x1aa/0x340
|
||
[72747.567202] worker_thread+0x30/0x390
|
||
[72747.567205] ? create_worker+0x1a0/0x1a0
|
||
[72747.567208] kthread+0x116/0x130
|
||
[72747.567211] ? kthread_park+0x80/0x80
|
||
[72747.567214] ret_from_fork+0x1f/0x30
|
||
|
||
[72747.569686] task:fsstress state:D stack:
|
||
---truncated---(CVE-2021-46987)
|
||
|
||
In the Linux kernel, the following vulnerability has been resolved:
|
||
|
||
bpf: Defer the free of inner map when necessary
|
||
|
||
When updating or deleting an inner map in map array or map htab, the map
|
||
may still be accessed by non-sleepable program or sleepable program.
|
||
However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map
|
||
directly through bpf_map_put(), if the ref-counter is the last one
|
||
(which is true for most cases), the inner map will be freed by
|
||
ops->map_free() in a kworker. But for now, most .map_free() callbacks
|
||
don't use synchronize_rcu() or its variants to wait for the elapse of a
|
||
RCU grace period, so after the invocation of ops->map_free completes,
|
||
the bpf program which is accessing the inner map may incur
|
||
use-after-free problem.
|
||
|
||
Fix the free of inner map by invoking bpf_map_free_deferred() after both
|
||
one RCU grace period and one tasks trace RCU grace period if the inner
|
||
map has been removed from the outer map before. The deferment is
|
||
accomplished by using call_rcu() or call_rcu_tasks_trace() when
|
||
releasing the last ref-counter of bpf map. The newly-added rcu_head
|
||
field in bpf_map shares the same storage space with work field to
|
||
reduce the size of bpf_map.(CVE-2023-52447)
|
||
|
||
In the Linux kernel, the following vulnerability has been resolved:
|
||
|
||
gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
|
||
|
||
Syzkaller has reported a NULL pointer dereference when accessing
|
||
rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating
|
||
rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in
|
||
gfs2_rgrp_dump() to prevent that.(CVE-2023-52448)
|
||
|
||
In the Linux kernel, the following vulnerability has been resolved:
|
||
|
||
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
|
||
|
||
If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
|
||
triggers NULL pointer dereference when trying to access
|
||
‘gluebi->desc’ in gluebi_read().
|
||
|
||
ubi_gluebi_init
|
||
ubi_register_volume_notifier
|
||
ubi_enumerate_volumes
|
||
ubi_notify_all
|
||
gluebi_notify nb->notifier_call()
|
||
gluebi_create
|
||
mtd_device_register
|
||
mtd_device_parse_register
|
||
add_mtd_device
|
||
blktrans_notify_add not->add()
|
||
ftl_add_mtd tr->add_mtd()
|
||
scan_header
|
||
mtd_read
|
||
mtd_read_oob
|
||
mtd_read_oob_std
|
||
gluebi_read mtd->read()
|
||
gluebi->desc - NULL
|
||
|
||
Detailed reproduction information available at the Link [1],
|
||
|
||
In the normal case, obtain gluebi->desc in the gluebi_get_device(),
|
||
and access gluebi->desc in the gluebi_read(). However,
|
||
gluebi_get_device() is not executed in advance in the
|
||
ftl_add_mtd() process, which leads to NULL pointer dereference.
|
||
|
||
The solution for the gluebi module is to run jffs2 on the UBI
|
||
volume without considering working with ftl or mtdblock [2].
|
||
Therefore, this problem can be avoided by preventing gluebi from
|
||
creating the mtdblock device after creating mtd partition of the
|
||
type MTD_UBIVOLUME.(CVE-2023-52449)
|
||
|
||
In the Linux kernel, the following vulnerability has been resolved:
|
||
|
||
bpf: Fix accesses to uninit stack slots
|
||
|
||
Privileged programs are supposed to be able to read uninitialized stack
|
||
memory (ever since 6715df8d5) but, before this patch, these accesses
|
||
were permitted inconsistently. In particular, accesses were permitted
|
||
above state->allocated_stack, but not below it. In other words, if the
|
||
stack was already "large enough", the access was permitted, but
|
||
otherwise the access was rejected instead of being allowed to "grow the
|
||
stack". This undesired rejection was happening in two places:
|
||
- in check_stack_slot_within_bounds()
|
||
- in check_stack_range_initialized()
|
||
This patch arranges for these accesses to be permitted. A bunch of tests
|
||
that were relying on the old rejection had to change; all of them were
|
||
changed to add also run unprivileged, in which case the old behavior
|
||
persists. One tests couldn't be updated - global_func16 - because it
|
||
can't run unprivileged for other reasons.
|
||
|
||
This patch also fixes the tracking of the stack size for variable-offset
|
||
reads. This second fix is bundled in the same commit as the first one
|
||
because they're inter-related. Before this patch, writes to the stack
|
||
using registers containing a variable offset (as opposed to registers
|
||
with fixed, known values) were not properly contributing to the
|
||
function's needed stack size. As a result, it was possible for a program
|
||
to verify, but then to attempt to read out-of-bounds data at runtime
|
||
because a too small stack had been allocated for it.
|
||
|
||
Each function tracks the size of the stack it needs in
|
||
bpf_subprog_info.stack_depth, which is maintained by
|
||
update_stack_depth(). For regular memory accesses, check_mem_access()
|
||
was calling update_state_depth() but it was passing in only the fixed
|
||
part of the offset register, ignoring the variable offset. This was
|
||
incorrect; the minimum possible value of that register should be used
|
||
instead.
|
||
|
||
This tracking is now fixed by centralizing the tracking of stack size in
|
||
grow_stack_state(), and by lifting the calls to grow_stack_state() to
|
||
check_stack_access_within_bounds() as suggested by Andrii. The code is
|
||
now simpler and more convincingly tracks the correct maximum stack size.
|
||
check_stack_range_initialized() can now rely on enough stack having been
|
||
allocated for the access; this helps with the fix for the first issue.
|
||
|
||
A few tests were changed to also check the stack depth computation. The
|
||
one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.(CVE-2023-52452)</Note>
|
||
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for kernel is now available for openEuler-22.03-LTS-SP1.
|
||
|
||
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
||
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
|
||
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">kernel</Note>
|
||
</DocumentNotes>
|
||
<DocumentReferences>
|
||
<Reference Type="Self">
|
||
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1299</URL>
|
||
</Reference>
|
||
<Reference Type="openEuler CVE">
|
||
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-46987</URL>
|
||
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-52447</URL>
|
||
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-52448</URL>
|
||
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-52449</URL>
|
||
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-52452</URL>
|
||
</Reference>
|
||
<Reference Type="Other">
|
||
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-46987</URL>
|
||
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-52447</URL>
|
||
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-52448</URL>
|
||
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-52449</URL>
|
||
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-52452</URL>
|
||
</Reference>
|
||
</DocumentReferences>
|
||
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
||
<Branch Type="Product Name" Name="openEuler">
|
||
<FullProductName ProductID="openEuler-22.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">openEuler-22.03-LTS-SP1</FullProductName>
|
||
</Branch>
|
||
<Branch Type="Package Arch" Name="aarch64">
|
||
<FullProductName ProductID="kernel-tools-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-tools-debuginfo-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="python3-perf-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">python3-perf-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-tools-devel-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-tools-devel-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="perf-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">perf-debuginfo-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="python3-perf-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">python3-perf-debuginfo-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-devel-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-devel-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-source-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-source-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="perf-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">perf-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-tools-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-tools-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-debuginfo-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-debugsource-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-debugsource-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-headers-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-headers-5.10.0-136.68.0.148.oe2203sp1.aarch64.rpm</FullProductName>
|
||
</Branch>
|
||
<Branch Type="Package Arch" Name="src">
|
||
<FullProductName ProductID="kernel-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-5.10.0-136.68.0.148.oe2203sp1.src.rpm</FullProductName>
|
||
</Branch>
|
||
<Branch Type="Package Arch" Name="x86_64">
|
||
<FullProductName ProductID="kernel-headers-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-headers-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-tools-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-tools-debuginfo-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-devel-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-devel-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-tools-devel-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-tools-devel-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="perf-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">perf-debuginfo-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="python3-perf-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">python3-perf-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-debuginfo-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="python3-perf-debuginfo-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">python3-perf-debuginfo-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="perf-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">perf-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-source-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-source-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-tools-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-tools-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
<FullProductName ProductID="kernel-debugsource-5.10.0-136.68.0.148" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">kernel-debugsource-5.10.0-136.68.0.148.oe2203sp1.x86_64.rpm</FullProductName>
|
||
</Branch>
|
||
</ProductTree>
|
||
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
<Notes>
|
||
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">In the Linux kernel, the following vulnerability has been resolved:
|
||
|
||
btrfs: fix deadlock when cloning inline extents and using qgroups
|
||
|
||
There are a few exceptional cases where cloning an inline extent needs to
|
||
copy the inline extent data into a page of the destination inode.
|
||
|
||
When this happens, we end up starting a transaction while having a dirty
|
||
page for the destination inode and while having the range locked in the
|
||
destination's inode iotree too. Because when reserving metadata space
|
||
for a transaction we may need to flush existing delalloc in case there is
|
||
not enough free space, we have a mechanism in place to prevent a deadlock,
|
||
which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when
|
||
cloning inline extent and low on free metadata space").
|
||
|
||
However when using qgroups, a transaction also reserves metadata qgroup
|
||
space, which can also result in flushing delalloc in case there is not
|
||
enough available space at the moment. When this happens we deadlock, since
|
||
flushing delalloc requires locking the file range in the inode's iotree
|
||
and the range was already locked at the very beginning of the clone
|
||
operation, before attempting to start the transaction.
|
||
|
||
When this issue happens, stack traces like the following are reported:
|
||
|
||
[72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000
|
||
[72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)
|
||
[72747.556271] Call Trace:
|
||
[72747.556273] __schedule+0x296/0x760
|
||
[72747.556277] schedule+0x3c/0xa0
|
||
[72747.556279] io_schedule+0x12/0x40
|
||
[72747.556284] __lock_page+0x13c/0x280
|
||
[72747.556287] ? generic_file_readonly_mmap+0x70/0x70
|
||
[72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs]
|
||
[72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160
|
||
[72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]
|
||
[72747.556362] ? update_group_capacity+0x25/0x210
|
||
[72747.556366] ? cpumask_next_and+0x1a/0x20
|
||
[72747.556391] extent_writepages+0x44/0xa0 [btrfs]
|
||
[72747.556394] do_writepages+0x41/0xd0
|
||
[72747.556398] __writeback_single_inode+0x39/0x2a0
|
||
[72747.556403] writeback_sb_inodes+0x1ea/0x440
|
||
[72747.556407] __writeback_inodes_wb+0x5f/0xc0
|
||
[72747.556410] wb_writeback+0x235/0x2b0
|
||
[72747.556414] ? get_nr_inodes+0x35/0x50
|
||
[72747.556417] wb_workfn+0x354/0x490
|
||
[72747.556420] ? newidle_balance+0x2c5/0x3e0
|
||
[72747.556424] process_one_work+0x1aa/0x340
|
||
[72747.556426] worker_thread+0x30/0x390
|
||
[72747.556429] ? create_worker+0x1a0/0x1a0
|
||
[72747.556432] kthread+0x116/0x130
|
||
[72747.556435] ? kthread_park+0x80/0x80
|
||
[72747.556438] ret_from_fork+0x1f/0x30
|
||
|
||
[72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]
|
||
[72747.566961] Call Trace:
|
||
[72747.566964] __schedule+0x296/0x760
|
||
[72747.566968] ? finish_wait+0x80/0x80
|
||
[72747.566970] schedule+0x3c/0xa0
|
||
[72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]
|
||
[72747.566999] ? finish_wait+0x80/0x80
|
||
[72747.567024] lock_extent_bits+0x37/0x90 [btrfs]
|
||
[72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs]
|
||
[72747.567051] ? find_get_pages_range_tag+0x2cd/0x380
|
||
[72747.567076] __extent_writepage+0x203/0x320 [btrfs]
|
||
[72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs]
|
||
[72747.567106] ? update_load_avg+0x7e/0x5f0
|
||
[72747.567109] ? enqueue_entity+0xf4/0x6f0
|
||
[72747.567134] extent_writepages+0x44/0xa0 [btrfs]
|
||
[72747.567137] ? enqueue_task_fair+0x93/0x6f0
|
||
[72747.567140] do_writepages+0x41/0xd0
|
||
[72747.567144] __filemap_fdatawrite_range+0xc7/0x100
|
||
[72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs]
|
||
[72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs]
|
||
[72747.567200] process_one_work+0x1aa/0x340
|
||
[72747.567202] worker_thread+0x30/0x390
|
||
[72747.567205] ? create_worker+0x1a0/0x1a0
|
||
[72747.567208] kthread+0x116/0x130
|
||
[72747.567211] ? kthread_park+0x80/0x80
|
||
[72747.567214] ret_from_fork+0x1f/0x30
|
||
|
||
[72747.569686] task:fsstress state:D stack:
|
||
---truncated---</Note>
|
||
</Notes>
|
||
<ReleaseDate>2024-03-22</ReleaseDate>
|
||
<CVE>CVE-2021-46987</CVE>
|
||
<ProductStatuses>
|
||
<Status Type="Fixed">
|
||
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
</Status>
|
||
</ProductStatuses>
|
||
<Threats>
|
||
<Threat Type="Impact">
|
||
<Description>Medium</Description>
|
||
</Threat>
|
||
</Threats>
|
||
<CVSSScoreSets>
|
||
<ScoreSet>
|
||
<BaseScore>5.5</BaseScore>
|
||
<Vector>AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</Vector>
|
||
</ScoreSet>
|
||
</CVSSScoreSets>
|
||
<Remediations>
|
||
<Remediation Type="Vendor Fix">
|
||
<Description>kernel security update</Description>
|
||
<DATE>2024-03-22</DATE>
|
||
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1299</URL>
|
||
</Remediation>
|
||
</Remediations>
|
||
</Vulnerability>
|
||
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
<Notes>
|
||
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">In the Linux kernel, the following vulnerability has been resolved:bpf: Defer the free of inner map when necessaryWhen updating or deleting an inner map in map array or map htab, the mapmay still be accessed by non-sleepable program or sleepable program.However bpf_map_fd_put_ptr() decreases the ref-counter of the inner mapdirectly through bpf_map_put(), if the ref-counter is the last one(which is true for most cases), the inner map will be freed byops->map_free() in a kworker. But for now, most .map_free() callbacksdon t use synchronize_rcu() or its variants to wait for the elapse of aRCU grace period, so after the invocation of ops->map_free completes,the bpf program which is accessing the inner map may incuruse-after-free problem.Fix the free of inner map by invoking bpf_map_free_deferred() after bothone RCU grace period and one tasks trace RCU grace period if the innermap has been removed from the outer map before. The deferment isaccomplished by using call_rcu() or call_rcu_tasks_trace() whenreleasing the last ref-counter of bpf map. The newly-added rcu_headfield in bpf_map shares the same storage space with work field toreduce the size of bpf_map.</Note>
|
||
</Notes>
|
||
<ReleaseDate>2024-03-22</ReleaseDate>
|
||
<CVE>CVE-2023-52447</CVE>
|
||
<ProductStatuses>
|
||
<Status Type="Fixed">
|
||
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
</Status>
|
||
</ProductStatuses>
|
||
<Threats>
|
||
<Threat Type="Impact">
|
||
<Description>High</Description>
|
||
</Threat>
|
||
</Threats>
|
||
<CVSSScoreSets>
|
||
<ScoreSet>
|
||
<BaseScore>7.8</BaseScore>
|
||
<Vector>AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L</Vector>
|
||
</ScoreSet>
|
||
</CVSSScoreSets>
|
||
<Remediations>
|
||
<Remediation Type="Vendor Fix">
|
||
<Description>kernel security update</Description>
|
||
<DATE>2024-03-22</DATE>
|
||
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1299</URL>
|
||
</Remediation>
|
||
</Remediations>
|
||
</Vulnerability>
|
||
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
<Notes>
|
||
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">In the Linux kernel, the following vulnerability has been resolved:gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dumpSyzkaller has reported a NULL pointer dereference when accessingrgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creatingrgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check ingfs2_rgrp_dump() to prevent that.</Note>
|
||
</Notes>
|
||
<ReleaseDate>2024-03-22</ReleaseDate>
|
||
<CVE>CVE-2023-52448</CVE>
|
||
<ProductStatuses>
|
||
<Status Type="Fixed">
|
||
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
</Status>
|
||
</ProductStatuses>
|
||
<Threats>
|
||
<Threat Type="Impact">
|
||
<Description>Medium</Description>
|
||
</Threat>
|
||
</Threats>
|
||
<CVSSScoreSets>
|
||
<ScoreSet>
|
||
<BaseScore>5.5</BaseScore>
|
||
<Vector>AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</Vector>
|
||
</ScoreSet>
|
||
</CVSSScoreSets>
|
||
<Remediations>
|
||
<Remediation Type="Vendor Fix">
|
||
<Description>kernel security update</Description>
|
||
<DATE>2024-03-22</DATE>
|
||
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1299</URL>
|
||
</Remediation>
|
||
</Remediations>
|
||
</Vulnerability>
|
||
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
<Notes>
|
||
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">In the Linux kernel, the following vulnerability has been resolved:mtd: Fix gluebi NULL pointer dereference caused by ftl notifierIf both ftl.ko and gluebi.ko are loaded, the notifier of ftltriggers NULL pointer dereference when trying to access‘gluebi->desc’ in gluebi_read().ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULLDetailed reproduction information available at the Link [1],In the normal case, obtain gluebi->desc in the gluebi_get_device(),and access gluebi->desc in the gluebi_read(). However,gluebi_get_device() is not executed in advance in theftl_add_mtd() process, which leads to NULL pointer dereference.The solution for the gluebi module is to run jffs2 on the UBIvolume without considering working with ftl or mtdblock [2].Therefore, this problem can be avoided by preventing gluebi fromcreating the mtdblock device after creating mtd partition of thetype MTD_UBIVOLUME.</Note>
|
||
</Notes>
|
||
<ReleaseDate>2024-03-22</ReleaseDate>
|
||
<CVE>CVE-2023-52449</CVE>
|
||
<ProductStatuses>
|
||
<Status Type="Fixed">
|
||
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
</Status>
|
||
</ProductStatuses>
|
||
<Threats>
|
||
<Threat Type="Impact">
|
||
<Description>Medium</Description>
|
||
</Threat>
|
||
</Threats>
|
||
<CVSSScoreSets>
|
||
<ScoreSet>
|
||
<BaseScore>5.5</BaseScore>
|
||
<Vector>AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</Vector>
|
||
</ScoreSet>
|
||
</CVSSScoreSets>
|
||
<Remediations>
|
||
<Remediation Type="Vendor Fix">
|
||
<Description>kernel security update</Description>
|
||
<DATE>2024-03-22</DATE>
|
||
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1299</URL>
|
||
</Remediation>
|
||
</Remediations>
|
||
</Vulnerability>
|
||
<Vulnerability Ordinal="5" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
<Notes>
|
||
<Note Title="Vulnerability Description" Type="General" Ordinal="5" xml:lang="en">In the Linux kernel, the following vulnerability has been resolved:bpf: Fix accesses to uninit stack slotsPrivileged programs are supposed to be able to read uninitialized stackmemory (ever since 6715df8d5) but, before this patch, these accesseswere permitted inconsistently. In particular, accesses were permittedabove state->allocated_stack, but not below it. In other words, if thestack was already large enough , the access was permitted, butotherwise the access was rejected instead of being allowed to grow thestack . This undesired rejection was happening in two places:- in check_stack_slot_within_bounds()- in check_stack_range_initialized()This patch arranges for these accesses to be permitted. A bunch of teststhat were relying on the old rejection had to change; all of them werechanged to add also run unprivileged, in which case the old behaviorpersists. One tests couldn t be updated - global_func16 - because itcan t run unprivileged for other reasons.This patch also fixes the tracking of the stack size for variable-offsetreads. This second fix is bundled in the same commit as the first onebecause they re inter-related. Before this patch, writes to the stackusing registers containing a variable offset (as opposed to registerswith fixed, known values) were not properly contributing to thefunction s needed stack size. As a result, it was possible for a programto verify, but then to attempt to read out-of-bounds data at runtimebecause a too small stack had been allocated for it.Each function tracks the size of the stack it needs inbpf_subprog_info.stack_depth, which is maintained byupdate_stack_depth(). For regular memory accesses, check_mem_access()was calling update_state_depth() but it was passing in only the fixedpart of the offset register, ignoring the variable offset. This wasincorrect; the minimum possible value of that register should be usedinstead.This tracking is now fixed by centralizing the tracking of stack size ingrow_stack_state(), and by lifting the calls to grow_stack_state() tocheck_stack_access_within_bounds() as suggested by Andrii. The code isnow simpler and more convincingly tracks the correct maximum stack size.check_stack_range_initialized() can now rely on enough stack having beenallocated for the access; this helps with the fix for the first issue.A few tests were changed to also check the stack depth computation. Theone that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.</Note>
|
||
</Notes>
|
||
<ReleaseDate>2024-03-22</ReleaseDate>
|
||
<CVE>CVE-2023-52452</CVE>
|
||
<ProductStatuses>
|
||
<Status Type="Fixed">
|
||
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
</Status>
|
||
</ProductStatuses>
|
||
<Threats>
|
||
<Threat Type="Impact">
|
||
<Description>High</Description>
|
||
</Threat>
|
||
</Threats>
|
||
<CVSSScoreSets>
|
||
<ScoreSet>
|
||
<BaseScore>7.8</BaseScore>
|
||
<Vector>AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</Vector>
|
||
</ScoreSet>
|
||
</CVSSScoreSets>
|
||
<Remediations>
|
||
<Remediation Type="Vendor Fix">
|
||
<Description>kernel security update</Description>
|
||
<DATE>2024-03-22</DATE>
|
||
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1299</URL>
|
||
</Remediation>
|
||
</Remediations>
|
||
</Vulnerability>
|
||
</cvrfdoc> |