ACK/Cmnt: [SRU][B][PULL] btrfs: fixes for multiple CVEs

Stefan Bader stefan.bader at canonical.com
Fri Jun 12 07:30:05 UTC 2020 

On 11.06.20 19:11, Andrea Righi wrote:
> [Impact/Description]
> 
> This pull request contains fixes for the following CVEs:
> 
>  CVE-2019-19036
>  CVE-2019-19816
>  CVE-2019-19039
>  CVE-2019-19318
>  CVE-2019-19813
>  CVE-2019-19377
> 
> I am sending a single pull request, because it is important to apply the
> fixes in a precise order: some fixes are relying on the fact that other
> fixes are also applied.
> 
> [Test case]
> 
> Each CVE has its own PoC, usually a btrfs image and a small C program.
> These PoC's have been used to verify the correctness of the fixes.
> 
> [Fixes]
> 
> The biggest chunk of changes is represented by the tree-checker fixes
> that are addressing CVE-2019-19318 specifically, but they are also
> required to apply the other fixes for CVE-2019-19318, CVE-2019-19036,
> CVE-2019-19377 and CVE-2019-19039.
> 
> All fixes are clean cherry picks or backports of upstream commits.
> 
> Backport activity was minimal, mostly small context adjustments. Only
> the following commit required some extra work to include few changes
> from other commits (that seemed to be a better solution rather than
> including too many other dependent commits with lots of conflicts to
> resolve):
> 
>  17632ac6d932f btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
> 
> [Regression potential]
> 
> This change is pretty big and it also includes backported commits, so
> there is a risk of regression.
> 
> However, all the CVE PoC's have been tested with positive results. I
> also stress tested a mounted btrfs filesystem both using fio and iozone
> and I could not break it (even if doing additional stress testing
> activity would not be bad).
> 
> [Pull request]
> 
> The following changes since commit 0402610fed7152bb5c2689b1740d40b17a78cfa7:
> 
>   UBUNTU: Ubuntu-4.15.0-107.108 (2020-06-08 18:11:55 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~arighi/+git/bionic-linux CVE-btrfs
> 
> for you to fetch changes up to e1736b5fd7eb3f62e1ad2e700eec22143cbc019c:
> 
>   btrfs: Don't submit any btree write bio if the fs has errors (2020-06-11 18:30:47 +0200)
> 
> ----------------------------------------------------------------
> Anand Jain (1):
>       btrfs: harden agaist duplicate fsid on scanned devices
> 
> David Sterba (15):
>       btrfs: tree-checker: get fs_info from eb in generic_err
>       btrfs: tree-checker: get fs_info from eb in file_extent_err
>       btrfs: tree-checker: get fs_info from eb in check_csum_item
>       btrfs: tree-checker: get fs_info from eb in dir_item_err
>       btrfs: tree-checker: get fs_info from eb in check_dir_item
>       btrfs: tree-checker: get fs_info from eb in block_group_err
>       btrfs: tree-checker: get fs_info from eb in check_block_group_item
>       btrfs: tree-checker: get fs_info from eb in check_extent_data_item
>       btrfs: tree-checker: get fs_info from eb in check_leaf_item
>       btrfs: tree-checker: get fs_info from eb in check_leaf
>       btrfs: tree-checker: get fs_info from eb in chunk_err
>       btrfs: tree-checker: get fs_info from eb in dev_item_err
>       btrfs: tree-checker: get fs_info from eb in check_dev_item
>       btrfs: tree-checker: get fs_info from eb in check_inode_item
>       btrfs: sink flush_fn to extent_write_cache_pages
> 
> Filipe Manana (4):
>       Btrfs: fix selftests failure due to uninitialized i_mode in test inodes
>       Btrfs: tree-checker: detect file extent items with overlapping ranges
>       Btrfs: make tree checker detect checksum items with overlapping ranges
>       Btrfs: fix missing data checksums after replaying a log tree
> 
> Qu Wenruo (23):
>       btrfs: Refactor parameter of BTRFS_MAX_DEVS() from root to fs_info
>       btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it
>       btrfs: tree-checker: Make chunk item checker messages more readable
>       btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO
>       btrfs: tree-checker: Check chunk item at tree block read time
>       btrfs: tree-checker: Verify dev item
>       btrfs: tree-checker: Enhance chunk checker to validate chunk profile
>       btrfs: tree-checker: Verify inode item
>       btrfs: inode: Verify inode mode to avoid NULL pointer dereference
>       btrfs: tree-checker: Replace root parameter with fs_info
>       btrfs: tree-checker: Check level for leaves and nodes
>       btrfs: tree-checker: Add ROOT_ITEM check
>       btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check
>       btrfs: tree-checker: Add simple keyed refs check
>       btrfs: tree-checker: Add EXTENT_DATA_REF check
>       btrfs: tree-checker: Fix wrong check on max devid
>       btrfs: volumes: Use more straightforward way to calculate map length
>       btrfs: tree-checker: Try to detect missing INODE_ITEM
>       btrfs: reloc: fix reloc root leak and NULL pointer dereference
>       btrfs: Validate child tree block's level and first key
>       btrfs: Detect unbalanced tree with empty leaf before crashing btree operations
>       btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
>       btrfs: Don't submit any btree write bio if the fs has errors
> 
>  fs/btrfs/backref.c           |    6 +-
>  fs/btrfs/ctree.c             |   28 +-
>  fs/btrfs/ctree.h             |   19 +-
>  fs/btrfs/disk-io.c           |  116 ++++-
>  fs/btrfs/disk-io.h           |    8 +-
>  fs/btrfs/extent-tree.c       |   15 +-
>  fs/btrfs/extent_io.c         |  161 +++++--
>  fs/btrfs/file-item.c         |    7 +-
>  fs/btrfs/inode.c             |   44 +-
>  fs/btrfs/print-tree.c        |   10 +-
>  fs/btrfs/qgroup.c            |    7 +-
>  fs/btrfs/ref-verify.c        |    7 +-
>  fs/btrfs/relocation.c        |   37 +-
>  fs/btrfs/tests/btrfs-tests.c |    8 +-
>  fs/btrfs/tests/inode-tests.c |    1 +
>  fs/btrfs/tree-checker.c      | 1039 ++++++++++++++++++++++++++++++++++++++----
>  fs/btrfs/tree-checker.h      |   11 +-
>  fs/btrfs/tree-log.c          |   57 ++-
>  fs/btrfs/volumes.c           |  150 ++----
>  fs/btrfs/volumes.h           |    9 +
>  20 files changed, 1414 insertions(+), 326 deletions(-)
> 
This is too large for detailed review of the patches. Luckily everything is
limited to one specific filesystem and verification of the PoC and the stress
test run makes the risk acceptable. The only other thing I quickly checked was
that each mentioned CVE number appears at least once in the patches.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200612/0bada8ad/attachment.sig>

More information about the kernel-team mailing list