APPLIED: [SRU][B][PULL] btrfs: fixes for multiple CVEs
Khaled Elmously
khalid.elmously at canonical.com
Tue Jun 16 17:23:49 UTC 2020
On 2020-06-11 19:11:25 , Andrea Righi wrote:
> [Impact/Description]
>
> This pull request contains fixes for the following CVEs:
>
> CVE-2019-19036
> CVE-2019-19816
> CVE-2019-19039
> CVE-2019-19318
> CVE-2019-19813
> CVE-2019-19377
>
> I am sending a single pull request, because it is important to apply the
> fixes in a precise order: some fixes are relying on the fact that other
> fixes are also applied.
>
> [Test case]
>
> Each CVE has its own PoC, usually a btrfs image and a small C program.
> These PoC's have been used to verify the correctness of the fixes.
>
> [Fixes]
>
> The biggest chunk of changes is represented by the tree-checker fixes
> that are addressing CVE-2019-19318 specifically, but they are also
> required to apply the other fixes for CVE-2019-19318, CVE-2019-19036,
> CVE-2019-19377 and CVE-2019-19039.
>
> All fixes are clean cherry picks or backports of upstream commits.
>
> Backport activity was minimal, mostly small context adjustments. Only
> the following commit required some extra work to include few changes
> from other commits (that seemed to be a better solution rather than
> including too many other dependent commits with lots of conflicts to
> resolve):
>
> 17632ac6d932f btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
>
> [Regression potential]
>
> This change is pretty big and it also includes backported commits, so
> there is a risk of regression.
>
> However, all the CVE PoC's have been tested with positive results. I
> also stress tested a mounted btrfs filesystem both using fio and iozone
> and I could not break it (even if doing additional stress testing
> activity would not be bad).
>
> [Pull request]
>
> The following changes since commit 0402610fed7152bb5c2689b1740d40b17a78cfa7:
>
> UBUNTU: Ubuntu-4.15.0-107.108 (2020-06-08 18:11:55 +0200)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~arighi/+git/bionic-linux CVE-btrfs
>
> for you to fetch changes up to e1736b5fd7eb3f62e1ad2e700eec22143cbc019c:
>
> btrfs: Don't submit any btree write bio if the fs has errors (2020-06-11 18:30:47 +0200)
>
> ----------------------------------------------------------------
> Anand Jain (1):
> btrfs: harden agaist duplicate fsid on scanned devices
>
> David Sterba (15):
> btrfs: tree-checker: get fs_info from eb in generic_err
> btrfs: tree-checker: get fs_info from eb in file_extent_err
> btrfs: tree-checker: get fs_info from eb in check_csum_item
> btrfs: tree-checker: get fs_info from eb in dir_item_err
> btrfs: tree-checker: get fs_info from eb in check_dir_item
> btrfs: tree-checker: get fs_info from eb in block_group_err
> btrfs: tree-checker: get fs_info from eb in check_block_group_item
> btrfs: tree-checker: get fs_info from eb in check_extent_data_item
> btrfs: tree-checker: get fs_info from eb in check_leaf_item
> btrfs: tree-checker: get fs_info from eb in check_leaf
> btrfs: tree-checker: get fs_info from eb in chunk_err
> btrfs: tree-checker: get fs_info from eb in dev_item_err
> btrfs: tree-checker: get fs_info from eb in check_dev_item
> btrfs: tree-checker: get fs_info from eb in check_inode_item
> btrfs: sink flush_fn to extent_write_cache_pages
>
> Filipe Manana (4):
> Btrfs: fix selftests failure due to uninitialized i_mode in test inodes
> Btrfs: tree-checker: detect file extent items with overlapping ranges
> Btrfs: make tree checker detect checksum items with overlapping ranges
> Btrfs: fix missing data checksums after replaying a log tree
>
> Qu Wenruo (23):
> btrfs: Refactor parameter of BTRFS_MAX_DEVS() from root to fs_info
> btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it
> btrfs: tree-checker: Make chunk item checker messages more readable
> btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO
> btrfs: tree-checker: Check chunk item at tree block read time
> btrfs: tree-checker: Verify dev item
> btrfs: tree-checker: Enhance chunk checker to validate chunk profile
> btrfs: tree-checker: Verify inode item
> btrfs: inode: Verify inode mode to avoid NULL pointer dereference
> btrfs: tree-checker: Replace root parameter with fs_info
> btrfs: tree-checker: Check level for leaves and nodes
> btrfs: tree-checker: Add ROOT_ITEM check
> btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check
> btrfs: tree-checker: Add simple keyed refs check
> btrfs: tree-checker: Add EXTENT_DATA_REF check
> btrfs: tree-checker: Fix wrong check on max devid
> btrfs: volumes: Use more straightforward way to calculate map length
> btrfs: tree-checker: Try to detect missing INODE_ITEM
> btrfs: reloc: fix reloc root leak and NULL pointer dereference
> btrfs: Validate child tree block's level and first key
> btrfs: Detect unbalanced tree with empty leaf before crashing btree operations
> btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
> btrfs: Don't submit any btree write bio if the fs has errors
>
> fs/btrfs/backref.c | 6 +-
> fs/btrfs/ctree.c | 28 +-
> fs/btrfs/ctree.h | 19 +-
> fs/btrfs/disk-io.c | 116 ++++-
> fs/btrfs/disk-io.h | 8 +-
> fs/btrfs/extent-tree.c | 15 +-
> fs/btrfs/extent_io.c | 161 +++++--
> fs/btrfs/file-item.c | 7 +-
> fs/btrfs/inode.c | 44 +-
> fs/btrfs/print-tree.c | 10 +-
> fs/btrfs/qgroup.c | 7 +-
> fs/btrfs/ref-verify.c | 7 +-
> fs/btrfs/relocation.c | 37 +-
> fs/btrfs/tests/btrfs-tests.c | 8 +-
> fs/btrfs/tests/inode-tests.c | 1 +
> fs/btrfs/tree-checker.c | 1039 ++++++++++++++++++++++++++++++++++++++----
> fs/btrfs/tree-checker.h | 11 +-
> fs/btrfs/tree-log.c | 57 ++-
> fs/btrfs/volumes.c | 150 ++----
> fs/btrfs/volumes.h | 9 +
> 20 files changed, 1414 insertions(+), 326 deletions(-)
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list