漏洞标题
btrfs:zoned:修复由于dev replace与race的交互导致的use-after-free问题
漏洞描述信息
在Linux内核中,已解决以下漏洞:
btrfs:zoned:修复由于与设备替换操作的竞态条件导致的use-after-free问题
在创建块组时加载分区信息时,我们可能会与设备替换操作发生竞态条件,然后在刚刚被替换的设备(替换操作的源设备)上触发use-after-free问题。
这是因为在btrfs_load_zone_info()函数中,我们从块映射中提取一个设备到局部变量,并在不受到设备替换读写锁的保护下使用该设备。如果在提取设备时发生设备替换操作,且该设备是替换操作的源设备,那么在我们使用该设备完成之前,如果替换操作完成并释放了该设备,我们就会触发use-after-free问题。
通过在设备替换读写锁的保护下扩大临界区,使得在临界区内完成对设备的所有使用,从而解决这个问题。
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
释放后使用
漏洞标题
btrfs: zoned: fix use-after-free due to race with dev replace
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: fix use-after-free due to race with dev replace
While loading a zone's info during creation of a block group, we can race
with a device replace operation and then trigger a use-after-free on the
device that was just replaced (source device of the replace operation).
This happens because at btrfs_load_zone_info() we extract a device from
the chunk map into a local variable and then use the device while not
under the protection of the device replace rwsem. So if there's a device
replace operation happening when we extract the device and that device
is the source of the replace operation, we will trigger a use-after-free
if before we finish using the device the replace operation finishes and
frees the device.
Fix this by enlarging the critical section under the protection of the
device replace rwsem so that all uses of the device are done inside the
critical section.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于 btrfs:zoned 组件在加载区域信息时,存在与设备替换操作的竞争条件问题,可能导致使用已释放的设备,触发释放后重用错误。
CVSS信息
N/A
漏洞类别
其他