[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
This bug was fixed in the package linux-azure-5.8 - 5.8.0-1043.46~20.04.1 --- linux-azure-5.8 (5.8.0-1043.46~20.04.1) focal; urgency=medium * focal/linux-azure-5.8: 5.8.0-1043.46~20.04.1 -proposed tracker (LP: #1944902) * Support builtin revoked certificates (LP: #1932029) - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys [ Ubuntu: 5.8.0-66.74 ] * focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.09.27) * linux: btrfs: fix NULL pointer dereference when deleting device by invalid id (LP: #1945987) - btrfs: fix NULL pointer dereference when deleting device by invalid id * CVE-2021-38199 - NFSv4: Initialise connection to the server in nfs4_alloc_client() * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707) - bnx2x: Fix enabling network interfaces without VFs * CVE-2021-3759 - memcg: enable accounting of ipc resources * CVE-2019-19449 - f2fs: fix wrong total_sections check and fsmeta check - f2fs: fix to do sanity check on segment/section count * Support builtin revoked certificates (LP: #1932029) - Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded" - integrity: Move import of MokListRT certs to a separate routine - integrity: Load certs from the EFI MOK config table - certs: Add EFI_CERT_X509_GUID support for dbx entries - certs: Move load_system_certificate_list to a common function - certs: Add ability to preload revocation certs - integrity: Load mokx variables into the blacklist keyring - certs: add 'x509_revocation_list' to gitignore - SAUCE: Dump stack when X.509 certificates cannot be loaded - [Packaging] build canonical-revoked-certs.pem from branch/arch certs - [Packaging] Revoke 2012 UEFI signing certificate as built-in - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys * Support importing mokx keys into revocation list from the mok table (LP: #1928679) - efi: Support for MOK variable config table - efi: mokvar-table: fix some issues in new code - efi: mokvar: add missing include of asm/early_ioremap.h - efi/mokvar: Reserve the table only if it is in boot services data - SAUCE: integrity: add informational messages when revoking certs * Support importing mokx keys into revocation list from the mok table (LP: #1928679) // CVE-2020-26541 when certificates are revoked via MokListXRT. - SAUCE: integrity: Load mokx certs from the EFI MOK config table * CVE-2020-36311 - KVM: SVM: Periodically schedule when unregistering regions on destroy * CVE-2021-22543 - KVM: do not allow mapping valid but non-reference-counted pages * CVE-2021-3612 - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl * CVE-2021-38207 - net: ll_temac: Fix TX BD buffer overwrite * CVE-2021-40490 - ext4: fix race writing to an inline_data file while its xattrs are changing * LRMv5: switch primary version handling to kernel-versions data set (LP: #1928921) - [Packaging] switch to kernel-versions -- Marcelo Henrique Cerri Thu, 07 Oct 2021 09:39:35 -0300 ** Changed in: linux-azure-5.8 (Ubuntu Focal) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19449 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26541 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-36311 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22543 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3612 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3759 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38199 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38207 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40490 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-azure-5.8 in Ubuntu. https://bugs.launchpad.net/bugs/1945987 Title: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id Status in linux-azure package in Ubuntu: Invalid Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-azure source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: Fix Released Status in linux-hwe-5.8 source package in Focal: Fix Committed Bug description: [BUG] It's easy to trigger NULL pointer dereference, just by removing a non-existing device id: # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ /dev/test/scratch2 # mount /dev/test/scratch1 /mnt/btrfs # btrfs device remove 3 /mnt/btrfs Then we have the
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-azure-5.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1945987
Title:
linux: btrfs: fix NULL pointer dereference when deleting device by
invalid id
Status in linux-azure package in Ubuntu:
Invalid
Status in linux-azure-5.8 package in Ubuntu:
Invalid
Status in linux-hwe-5.8 package in Ubuntu:
Invalid
Status in linux-azure source package in Focal:
In Progress
Status in linux-azure-5.8 source package in Focal:
In Progress
Status in linux-hwe-5.8 source package in Focal:
Fix Committed
Bug description:
[BUG]
It's easy to trigger NULL pointer dereference, just by removing a
non-existing device id:
# mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
/dev/test/scratch2
# mount /dev/test/scratch1 /mnt/btrfs
# btrfs device remove 3 /mnt/btrfs
Then we have the following kernel NULL pointer dereference:
BUG: kernel NULL pointer dereference, address:
#PF: supervisor read access in kernel mode
#PF: error_code(0x) - not-present page
PGD 0 P4D 0
Oops: [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
btrfs_ioctl+0x18bb/0x3190 [btrfs]
? lock_is_held_type+0xa5/0x120
? find_held_lock.constprop.0+0x2b/0x80
? do_user_addr_fault+0x201/0x6a0
? lock_release+0xd2/0x2d0
? __x64_sys_ioctl+0x83/0xb0
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
[CAUSE]
Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
btrfs_device directly") moves the "missing" device path check into
btrfs_rm_device().
But btrfs_rm_device() itself can have case where it only receives
@devid, with NULL as @device_path.
In that case, calling strcmp() on NULL will trigger the NULL pointer
dereference.
Before that commit, we handle the "missing" case inside
btrfs_find_device_by_devspec(), which will not check @device_path at all
if @devid is provided, thus no way to trigger the bug.
[FIX]
Before calling strcmp(), also make sure @device_path is not NULL.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
This bug is awaiting verification that the linux-hwe-5.8/5.8.0-66.74
kernel in -proposed solves the problem. Please test the kernel and
update this bug with the results. If the problem is solved, change the
tag 'verification-needed-focal' to 'verification-done-focal'. If the
problem still exists, change the tag 'verification-needed-focal' to
'verification-failed-focal'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-focal
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-azure-5.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1945987
Title:
linux: btrfs: fix NULL pointer dereference when deleting device by
invalid id
Status in linux-azure package in Ubuntu:
Invalid
Status in linux-azure-5.8 package in Ubuntu:
Invalid
Status in linux-hwe-5.8 package in Ubuntu:
Invalid
Status in linux-azure source package in Focal:
In Progress
Status in linux-azure-5.8 source package in Focal:
In Progress
Status in linux-hwe-5.8 source package in Focal:
Fix Committed
Bug description:
[BUG]
It's easy to trigger NULL pointer dereference, just by removing a
non-existing device id:
# mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
/dev/test/scratch2
# mount /dev/test/scratch1 /mnt/btrfs
# btrfs device remove 3 /mnt/btrfs
Then we have the following kernel NULL pointer dereference:
BUG: kernel NULL pointer dereference, address:
#PF: supervisor read access in kernel mode
#PF: error_code(0x) - not-present page
PGD 0 P4D 0
Oops: [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
btrfs_ioctl+0x18bb/0x3190 [btrfs]
? lock_is_held_type+0xa5/0x120
? find_held_lock.constprop.0+0x2b/0x80
? do_user_addr_fault+0x201/0x6a0
? lock_release+0xd2/0x2d0
? __x64_sys_ioctl+0x83/0xb0
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
[CAUSE]
Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
btrfs_device directly") moves the "missing" device path check into
btrfs_rm_device().
But btrfs_rm_device() itself can have case where it only receives
@devid, with NULL as @device_path.
In that case, calling strcmp() on NULL will trigger the NULL pointer
dereference.
Before that commit, we handle the "missing" case inside
btrfs_find_device_by_devspec(), which will not check @device_path at all
if @devid is provided, thus no way to trigger the bug.
[FIX]
Before calling strcmp(), also make sure @device_path is not NULL.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
** Changed in: linux-hwe-5.8 (Ubuntu Focal)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-azure in Ubuntu.
https://bugs.launchpad.net/bugs/1945987
Title:
linux: btrfs: fix NULL pointer dereference when deleting device by
invalid id
Status in linux-azure package in Ubuntu:
Invalid
Status in linux-azure-5.8 package in Ubuntu:
Invalid
Status in linux-hwe-5.8 package in Ubuntu:
Invalid
Status in linux-azure source package in Focal:
In Progress
Status in linux-azure-5.8 source package in Focal:
In Progress
Status in linux-hwe-5.8 source package in Focal:
Fix Committed
Bug description:
[BUG]
It's easy to trigger NULL pointer dereference, just by removing a
non-existing device id:
# mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
/dev/test/scratch2
# mount /dev/test/scratch1 /mnt/btrfs
# btrfs device remove 3 /mnt/btrfs
Then we have the following kernel NULL pointer dereference:
BUG: kernel NULL pointer dereference, address:
#PF: supervisor read access in kernel mode
#PF: error_code(0x) - not-present page
PGD 0 P4D 0
Oops: [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
btrfs_ioctl+0x18bb/0x3190 [btrfs]
? lock_is_held_type+0xa5/0x120
? find_held_lock.constprop.0+0x2b/0x80
? do_user_addr_fault+0x201/0x6a0
? lock_release+0xd2/0x2d0
? __x64_sys_ioctl+0x83/0xb0
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
[CAUSE]
Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
btrfs_device directly") moves the "missing" device path check into
btrfs_rm_device().
But btrfs_rm_device() itself can have case where it only receives
@devid, with NULL as @device_path.
In that case, calling strcmp() on NULL will trigger the NULL pointer
dereference.
Before that commit, we handle the "missing" case inside
btrfs_find_device_by_devspec(), which will not check @device_path at all
if @devid is provided, thus no way to trigger the bug.
[FIX]
Before calling strcmp(), also make sure @device_path is not NULL.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1945987] Re: linux: btrfs: fix NULL pointer dereference when deleting device by invalid id
** Also affects: linux-azure (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux-azure (Ubuntu Focal)
Status: New => In Progress
** Changed in: linux-azure (Ubuntu Focal)
Importance: Undecided => Medium
** Changed in: linux-azure (Ubuntu Focal)
Assignee: (unassigned) => Tim Gardner (timg-tpi)
** Changed in: linux-azure (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-azure in Ubuntu.
https://bugs.launchpad.net/bugs/1945987
Title:
linux: btrfs: fix NULL pointer dereference when deleting device by
invalid id
Status in linux-azure package in Ubuntu:
Invalid
Status in linux-azure-5.8 package in Ubuntu:
Invalid
Status in linux-hwe-5.8 package in Ubuntu:
Invalid
Status in linux-azure source package in Focal:
In Progress
Status in linux-azure-5.8 source package in Focal:
In Progress
Status in linux-hwe-5.8 source package in Focal:
In Progress
Bug description:
[BUG]
It's easy to trigger NULL pointer dereference, just by removing a
non-existing device id:
# mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
/dev/test/scratch2
# mount /dev/test/scratch1 /mnt/btrfs
# btrfs device remove 3 /mnt/btrfs
Then we have the following kernel NULL pointer dereference:
BUG: kernel NULL pointer dereference, address:
#PF: supervisor read access in kernel mode
#PF: error_code(0x) - not-present page
PGD 0 P4D 0
Oops: [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
btrfs_ioctl+0x18bb/0x3190 [btrfs]
? lock_is_held_type+0xa5/0x120
? find_held_lock.constprop.0+0x2b/0x80
? do_user_addr_fault+0x201/0x6a0
? lock_release+0xd2/0x2d0
? __x64_sys_ioctl+0x83/0xb0
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
[CAUSE]
Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
btrfs_device directly") moves the "missing" device path check into
btrfs_rm_device().
But btrfs_rm_device() itself can have case where it only receives
@devid, with NULL as @device_path.
In that case, calling strcmp() on NULL will trigger the NULL pointer
dereference.
Before that commit, we handle the "missing" case inside
btrfs_find_device_by_devspec(), which will not check @device_path at all
if @devid is provided, thus no way to trigger the bug.
[FIX]
Before calling strcmp(), also make sure @device_path is not NULL.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1945987/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
