[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
This bug was fixed in the package linux-azure-5.8 - 5.8.0-1043.46~20.04.1 --- linux-azure-5.8 (5.8.0-1043.46~20.04.1) focal; urgency=medium * focal/linux-azure-5.8: 5.8.0-1043.46~20.04.1 -proposed tracker (LP: #1944902) * Support builtin revoked certificates (LP: #1932029) - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys [ Ubuntu: 5.8.0-66.74 ] * focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.09.27) * linux: btrfs: fix NULL pointer dereference when deleting device by invalid id (LP: #1945987) - btrfs: fix NULL pointer dereference when deleting device by invalid id * CVE-2021-38199 - NFSv4: Initialise connection to the server in nfs4_alloc_client() * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707) - bnx2x: Fix enabling network interfaces without VFs * CVE-2021-3759 - memcg: enable accounting of ipc resources * CVE-2019-19449 - f2fs: fix wrong total_sections check and fsmeta check - f2fs: fix to do sanity check on segment/section count * Support builtin revoked certificates (LP: #1932029) - Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded" - integrity: Move import of MokListRT certs to a separate routine - integrity: Load certs from the EFI MOK config table - certs: Add EFI_CERT_X509_GUID support for dbx entries - certs: Move load_system_certificate_list to a common function - certs: Add ability to preload revocation certs - integrity: Load mokx variables into the blacklist keyring - certs: add 'x509_revocation_list' to gitignore - SAUCE: Dump stack when X.509 certificates cannot be loaded - [Packaging] build canonical-revoked-certs.pem from branch/arch certs - [Packaging] Revoke 2012 UEFI signing certificate as built-in - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys * Support importing mokx keys into revocation list from the mok table (LP: #1928679) - efi: Support for MOK variable config table - efi: mokvar-table: fix some issues in new code - efi: mokvar: add missing include of asm/early_ioremap.h - efi/mokvar: Reserve the table only if it is in boot services data - SAUCE: integrity: add informational messages when revoking certs * Support importing mokx keys into revocation list from the mok table (LP: #1928679) // CVE-2020-26541 when certificates are revoked via MokListXRT. - SAUCE: integrity: Load mokx certs from the EFI MOK config table * CVE-2020-36311 - KVM: SVM: Periodically schedule when unregistering regions on destroy * CVE-2021-22543 - KVM: do not allow mapping valid but non-reference-counted pages * CVE-2021-3612 - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl * CVE-2021-38207 - net: ll_temac: Fix TX BD buffer overwrite * CVE-2021-40490 - ext4: fix race writing to an inline_data file while its xattrs are changing * LRMv5: switch primary version handling to kernel-versions data set (LP: #1928921) - [Packaging] switch to kernel-versions -- Marcelo Henrique Cerri Thu, 07 Oct 2021 09:39:35 -0300 ** Changed in: linux-azure-5.8 (Ubuntu Focal) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19449 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26541 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-36311 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22543 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3612 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3759 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38199 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38207 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40490 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-azure-5.8 in Ubuntu. https://bugs.launchpad.net/bugs/1945987 Title: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id Status in linux-azure package in Ubuntu: Invalid Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-azure source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: Fix Released Status in linux-hwe-5.8 source package in Focal: Fix Committed Bug description: [BUG] It's easy to trigger NULL pointer dereference, just by removing a non-existing device id: # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ /dev/test/scratch2 # mount /dev/test/scratch1 /mnt/btrfs # btrfs device remove 3 /mnt/btrfs Then we have the
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-azure-5.8 in Ubuntu. https://bugs.launchpad.net/bugs/1945987 Title: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id Status in linux-azure package in Ubuntu: Invalid Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-azure source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: In Progress Status in linux-hwe-5.8 source package in Focal: Fix Committed Bug description: [BUG] It's easy to trigger NULL pointer dereference, just by removing a non-existing device id: # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ /dev/test/scratch2 # mount /dev/test/scratch1 /mnt/btrfs # btrfs device remove 3 /mnt/btrfs Then we have the following kernel NULL pointer dereference: BUG: kernel NULL pointer dereference, address: #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD 0 P4D 0 Oops: [#1] PREEMPT SMP NOPTI CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs] btrfs_ioctl+0x18bb/0x3190 [btrfs] ? lock_is_held_type+0xa5/0x120 ? find_held_lock.constprop.0+0x2b/0x80 ? do_user_addr_fault+0x201/0x6a0 ? lock_release+0xd2/0x2d0 ? __x64_sys_ioctl+0x83/0xb0 __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae [CAUSE] Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly") moves the "missing" device path check into btrfs_rm_device(). But btrfs_rm_device() itself can have case where it only receives @devid, with NULL as @device_path. In that case, calling strcmp() on NULL will trigger the NULL pointer dereference. Before that commit, we handle the "missing" case inside btrfs_find_device_by_devspec(), which will not check @device_path at all if @devid is provided, thus no way to trigger the bug. [FIX] Before calling strcmp(), also make sure @device_path is not NULL. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
This bug is awaiting verification that the linux-hwe-5.8/5.8.0-66.74 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-azure-5.8 in Ubuntu. https://bugs.launchpad.net/bugs/1945987 Title: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id Status in linux-azure package in Ubuntu: Invalid Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-azure source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: In Progress Status in linux-hwe-5.8 source package in Focal: Fix Committed Bug description: [BUG] It's easy to trigger NULL pointer dereference, just by removing a non-existing device id: # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ /dev/test/scratch2 # mount /dev/test/scratch1 /mnt/btrfs # btrfs device remove 3 /mnt/btrfs Then we have the following kernel NULL pointer dereference: BUG: kernel NULL pointer dereference, address: #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD 0 P4D 0 Oops: [#1] PREEMPT SMP NOPTI CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs] btrfs_ioctl+0x18bb/0x3190 [btrfs] ? lock_is_held_type+0xa5/0x120 ? find_held_lock.constprop.0+0x2b/0x80 ? do_user_addr_fault+0x201/0x6a0 ? lock_release+0xd2/0x2d0 ? __x64_sys_ioctl+0x83/0xb0 __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae [CAUSE] Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly") moves the "missing" device path check into btrfs_rm_device(). But btrfs_rm_device() itself can have case where it only receives @devid, with NULL as @device_path. In that case, calling strcmp() on NULL will trigger the NULL pointer dereference. Before that commit, we handle the "missing" case inside btrfs_find_device_by_devspec(), which will not check @device_path at all if @devid is provided, thus no way to trigger the bug. [FIX] Before calling strcmp(), also make sure @device_path is not NULL. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
** Changed in: linux-hwe-5.8 (Ubuntu Focal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-azure in Ubuntu. https://bugs.launchpad.net/bugs/1945987 Title: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id Status in linux-azure package in Ubuntu: Invalid Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-azure source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: In Progress Status in linux-hwe-5.8 source package in Focal: Fix Committed Bug description: [BUG] It's easy to trigger NULL pointer dereference, just by removing a non-existing device id: # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ /dev/test/scratch2 # mount /dev/test/scratch1 /mnt/btrfs # btrfs device remove 3 /mnt/btrfs Then we have the following kernel NULL pointer dereference: BUG: kernel NULL pointer dereference, address: #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD 0 P4D 0 Oops: [#1] PREEMPT SMP NOPTI CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs] btrfs_ioctl+0x18bb/0x3190 [btrfs] ? lock_is_held_type+0xa5/0x120 ? find_held_lock.constprop.0+0x2b/0x80 ? do_user_addr_fault+0x201/0x6a0 ? lock_release+0xd2/0x2d0 ? __x64_sys_ioctl+0x83/0xb0 __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae [CAUSE] Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly") moves the "missing" device path check into btrfs_rm_device(). But btrfs_rm_device() itself can have case where it only receives @devid, with NULL as @device_path. In that case, calling strcmp() on NULL will trigger the NULL pointer dereference. Before that commit, we handle the "missing" case inside btrfs_find_device_by_devspec(), which will not check @device_path at all if @devid is provided, thus no way to trigger the bug. [FIX] Before calling strcmp(), also make sure @device_path is not NULL. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
** Also affects: linux-azure (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-azure (Ubuntu Focal) Status: New => In Progress ** Changed in: linux-azure (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: linux-azure (Ubuntu Focal) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux-azure (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-azure in Ubuntu. https://bugs.launchpad.net/bugs/1945987 Title: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id Status in linux-azure package in Ubuntu: Invalid Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-azure source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: In Progress Status in linux-hwe-5.8 source package in Focal: In Progress Bug description: [BUG] It's easy to trigger NULL pointer dereference, just by removing a non-existing device id: # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ /dev/test/scratch2 # mount /dev/test/scratch1 /mnt/btrfs # btrfs device remove 3 /mnt/btrfs Then we have the following kernel NULL pointer dereference: BUG: kernel NULL pointer dereference, address: #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD 0 P4D 0 Oops: [#1] PREEMPT SMP NOPTI CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs] btrfs_ioctl+0x18bb/0x3190 [btrfs] ? lock_is_held_type+0xa5/0x120 ? find_held_lock.constprop.0+0x2b/0x80 ? do_user_addr_fault+0x201/0x6a0 ? lock_release+0xd2/0x2d0 ? __x64_sys_ioctl+0x83/0xb0 __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae [CAUSE] Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly") moves the "missing" device path check into btrfs_rm_device(). But btrfs_rm_device() itself can have case where it only receives @devid, with NULL as @device_path. In that case, calling strcmp() on NULL will trigger the NULL pointer dereference. Before that commit, we handle the "missing" case inside btrfs_find_device_by_devspec(), which will not check @device_path at all if @devid is provided, thus no way to trigger the bug. [FIX] Before calling strcmp(), also make sure @device_path is not NULL. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp