This bug was fixed in the package linux-azure-5.8 -
5.8.0-1043.46~20.04.1
---------------
linux-azure-5.8 (5.8.0-1043.46~20.04.1) focal; urgency=medium
* focal/linux-azure-5.8: 5.8.0-1043.46~20.04.1 -proposed tracker
(LP: #1944902)
* Support builtin revoked certificates (LP: #1932029)
- [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys
[ Ubuntu: 5.8.0-66.74 ]
* focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903)
* Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2021.09.27)
* linux: btrfs: fix NULL pointer dereference when deleting device by invalid
id (LP: #1945987)
- btrfs: fix NULL pointer dereference when deleting device by invalid id
* CVE-2021-38199
- NFSv4: Initialise connection to the server in nfs4_alloc_client()
* BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707)
- bnx2x: Fix enabling network interfaces without VFs
* CVE-2021-3759
- memcg: enable accounting of ipc resources
* CVE-2019-19449
- f2fs: fix wrong total_sections check and fsmeta check
- f2fs: fix to do sanity check on segment/section count
* Support builtin revoked certificates (LP: #1932029)
- Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be
loaded"
- integrity: Move import of MokListRT certs to a separate routine
- integrity: Load certs from the EFI MOK config table
- certs: Add EFI_CERT_X509_GUID support for dbx entries
- certs: Move load_system_certificate_list to a common function
- certs: Add ability to preload revocation certs
- integrity: Load mokx variables into the blacklist keyring
- certs: add 'x509_revocation_list' to gitignore
- SAUCE: Dump stack when X.509 certificates cannot be loaded
- [Packaging] build canonical-revoked-certs.pem from branch/arch certs
- [Packaging] Revoke 2012 UEFI signing certificate as built-in
- [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys
* Support importing mokx keys into revocation list from the mok table
(LP: #1928679)
- efi: Support for MOK variable config table
- efi: mokvar-table: fix some issues in new code
- efi: mokvar: add missing include of asm/early_ioremap.h
- efi/mokvar: Reserve the table only if it is in boot services data
- SAUCE: integrity: add informational messages when revoking certs
* Support importing mokx keys into revocation list from the mok table
(LP: #1928679) // CVE-2020-26541 when certificates are revoked via
MokListXRT.
- SAUCE: integrity: Load mokx certs from the EFI MOK config table
* CVE-2020-36311
- KVM: SVM: Periodically schedule when unregistering regions on destroy
* CVE-2021-22543
- KVM: do not allow mapping valid but non-reference-counted pages
* CVE-2021-3612
- Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
* CVE-2021-38207
- net: ll_temac: Fix TX BD buffer overwrite
* CVE-2021-40490
- ext4: fix race writing to an inline_data file while its xattrs are
changing
* LRMv5: switch primary version handling to kernel-versions data set
(LP: #1928921)
- [Packaging] switch to kernel-versions
-- Marcelo Henrique Cerri <marcelo.ce...@canonical.com> Thu, 07 Oct
2021 09:39:35 -0300
** Changed in: linux-azure-5.8 (Ubuntu Focal)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19449
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26541
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-36311
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22543
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3612
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3759
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38199
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38207
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40490
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-azure-5.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1945987
Title:
linux: btrfs: fix NULL pointer dereference when deleting device by
invalid id
Status in linux-azure package in Ubuntu:
Invalid
Status in linux-azure-5.8 package in Ubuntu:
Invalid
Status in linux-hwe-5.8 package in Ubuntu:
Invalid
Status in linux-azure source package in Focal:
In Progress
Status in linux-azure-5.8 source package in Focal:
Fix Released
Status in linux-hwe-5.8 source package in Focal:
Fix Committed
Bug description:
[BUG]
It's easy to trigger NULL pointer dereference, just by removing a
non-existing device id:
# mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
/dev/test/scratch2
# mount /dev/test/scratch1 /mnt/btrfs
# btrfs device remove 3 /mnt/btrfs
Then we have the following kernel NULL pointer dereference:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
btrfs_ioctl+0x18bb/0x3190 [btrfs]
? lock_is_held_type+0xa5/0x120
? find_held_lock.constprop.0+0x2b/0x80
? do_user_addr_fault+0x201/0x6a0
? lock_release+0xd2/0x2d0
? __x64_sys_ioctl+0x83/0xb0
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
[CAUSE]
Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
btrfs_device directly") moves the "missing" device path check into
btrfs_rm_device().
But btrfs_rm_device() itself can have case where it only receives
@devid, with NULL as @device_path.
In that case, calling strcmp() on NULL will trigger the NULL pointer
dereference.
Before that commit, we handle the "missing" case inside
btrfs_find_device_by_devspec(), which will not check @device_path at all
if @devid is provided, thus no way to trigger the bug.
[FIX]
Before calling strcmp(), also make sure @device_path is not NULL.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
