[SRU][B][PULL] btrfs: fixes for multiple CVEs
Andrea Righi
andrea.righi at canonical.com
Thu Jun 11 17:11:25 UTC 2020
[Impact/Description]
This pull request contains fixes for the following CVEs:
CVE-2019-19036
CVE-2019-19816
CVE-2019-19039
CVE-2019-19318
CVE-2019-19813
CVE-2019-19377
I am sending a single pull request, because it is important to apply the
fixes in a precise order: some fixes are relying on the fact that other
fixes are also applied.
[Test case]
Each CVE has its own PoC, usually a btrfs image and a small C program.
These PoC's have been used to verify the correctness of the fixes.
[Fixes]
The biggest chunk of changes is represented by the tree-checker fixes
that are addressing CVE-2019-19318 specifically, but they are also
required to apply the other fixes for CVE-2019-19318, CVE-2019-19036,
CVE-2019-19377 and CVE-2019-19039.
All fixes are clean cherry picks or backports of upstream commits.
Backport activity was minimal, mostly small context adjustments. Only
the following commit required some extra work to include few changes
from other commits (that seemed to be a better solution rather than
including too many other dependent commits with lots of conflicts to
resolve):
17632ac6d932f btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
[Regression potential]
This change is pretty big and it also includes backported commits, so
there is a risk of regression.
However, all the CVE PoC's have been tested with positive results. I
also stress tested a mounted btrfs filesystem both using fio and iozone
and I could not break it (even if doing additional stress testing
activity would not be bad).
[Pull request]
The following changes since commit 0402610fed7152bb5c2689b1740d40b17a78cfa7:
UBUNTU: Ubuntu-4.15.0-107.108 (2020-06-08 18:11:55 +0200)
are available in the Git repository at:
git://git.launchpad.net/~arighi/+git/bionic-linux CVE-btrfs
for you to fetch changes up to e1736b5fd7eb3f62e1ad2e700eec22143cbc019c:
btrfs: Don't submit any btree write bio if the fs has errors (2020-06-11 18:30:47 +0200)
----------------------------------------------------------------
Anand Jain (1):
btrfs: harden agaist duplicate fsid on scanned devices
David Sterba (15):
btrfs: tree-checker: get fs_info from eb in generic_err
btrfs: tree-checker: get fs_info from eb in file_extent_err
btrfs: tree-checker: get fs_info from eb in check_csum_item
btrfs: tree-checker: get fs_info from eb in dir_item_err
btrfs: tree-checker: get fs_info from eb in check_dir_item
btrfs: tree-checker: get fs_info from eb in block_group_err
btrfs: tree-checker: get fs_info from eb in check_block_group_item
btrfs: tree-checker: get fs_info from eb in check_extent_data_item
btrfs: tree-checker: get fs_info from eb in check_leaf_item
btrfs: tree-checker: get fs_info from eb in check_leaf
btrfs: tree-checker: get fs_info from eb in chunk_err
btrfs: tree-checker: get fs_info from eb in dev_item_err
btrfs: tree-checker: get fs_info from eb in check_dev_item
btrfs: tree-checker: get fs_info from eb in check_inode_item
btrfs: sink flush_fn to extent_write_cache_pages
Filipe Manana (4):
Btrfs: fix selftests failure due to uninitialized i_mode in test inodes
Btrfs: tree-checker: detect file extent items with overlapping ranges
Btrfs: make tree checker detect checksum items with overlapping ranges
Btrfs: fix missing data checksums after replaying a log tree
Qu Wenruo (23):
btrfs: Refactor parameter of BTRFS_MAX_DEVS() from root to fs_info
btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it
btrfs: tree-checker: Make chunk item checker messages more readable
btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO
btrfs: tree-checker: Check chunk item at tree block read time
btrfs: tree-checker: Verify dev item
btrfs: tree-checker: Enhance chunk checker to validate chunk profile
btrfs: tree-checker: Verify inode item
btrfs: inode: Verify inode mode to avoid NULL pointer dereference
btrfs: tree-checker: Replace root parameter with fs_info
btrfs: tree-checker: Check level for leaves and nodes
btrfs: tree-checker: Add ROOT_ITEM check
btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check
btrfs: tree-checker: Add simple keyed refs check
btrfs: tree-checker: Add EXTENT_DATA_REF check
btrfs: tree-checker: Fix wrong check on max devid
btrfs: volumes: Use more straightforward way to calculate map length
btrfs: tree-checker: Try to detect missing INODE_ITEM
btrfs: reloc: fix reloc root leak and NULL pointer dereference
btrfs: Validate child tree block's level and first key
btrfs: Detect unbalanced tree with empty leaf before crashing btree operations
btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
btrfs: Don't submit any btree write bio if the fs has errors
fs/btrfs/backref.c | 6 +-
fs/btrfs/ctree.c | 28 +-
fs/btrfs/ctree.h | 19 +-
fs/btrfs/disk-io.c | 116 ++++-
fs/btrfs/disk-io.h | 8 +-
fs/btrfs/extent-tree.c | 15 +-
fs/btrfs/extent_io.c | 161 +++++--
fs/btrfs/file-item.c | 7 +-
fs/btrfs/inode.c | 44 +-
fs/btrfs/print-tree.c | 10 +-
fs/btrfs/qgroup.c | 7 +-
fs/btrfs/ref-verify.c | 7 +-
fs/btrfs/relocation.c | 37 +-
fs/btrfs/tests/btrfs-tests.c | 8 +-
fs/btrfs/tests/inode-tests.c | 1 +
fs/btrfs/tree-checker.c | 1039 ++++++++++++++++++++++++++++++++++++++----
fs/btrfs/tree-checker.h | 11 +-
fs/btrfs/tree-log.c | 57 ++-
fs/btrfs/volumes.c | 150 ++----
fs/btrfs/volumes.h | 9 +
20 files changed, 1414 insertions(+), 326 deletions(-)
More information about the kernel-team
mailing list