ghsa-qj68-9gpw-8pq2
Vulnerability from github
Published
2024-05-21 15:31
Modified
2025-04-30 15:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

bcache: avoid oversized read request in cache missing code path

In the cache missing code path of cached device, if a proper location from the internal B+ tree is matched for a cache miss range, function cached_dev_cache_miss() will be called in cache_lookup_fn() in the following code block, [code block 1] 526 unsigned int sectors = KEY_INODE(k) == s->iop.inode 527 ? min_t(uint64_t, INT_MAX, 528 KEY_START(k) - bio->bi_iter.bi_sector) 529 : INT_MAX; 530 int ret = s->d->cache_miss(b, s, bio, sectors);

Here s->d->cache_miss() is the call backfunction pointer initialized as cached_dev_cache_miss(), the last parameter 'sectors' is an important hint to calculate the size of read request to backing device of the missing cache data.

Current calculation in above code block may generate oversized value of 'sectors', which consequently may trigger 2 different potential kernel panics by BUG() or BUG_ON() as listed below,

1) BUG_ON() inside bch_btree_insert_key(), [code block 2] 886 BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); 2) BUG() inside biovec_slab(), [code block 3] 51 default: 52 BUG(); 53 return NULL;

All the above panics are original from cached_dev_cache_miss() by the oversized parameter 'sectors'.

Inside cached_dev_cache_miss(), parameter 'sectors' is used to calculate the size of data read from backing device for the cache missing. This size is stored in s->insert_bio_sectors by the following lines of code, [code block 4] 909 s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada);

Then the actual key inserting to the internal B+ tree is generated and stored in s->iop.replace_key by the following lines of code, [code block 5] 911 s->iop.replace_key = KEY(s->iop.inode, 912 bio->bi_iter.bi_sector + s->insert_bio_sectors, 913 s->insert_bio_sectors); The oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from the above code block.

And the bio sending to backing device for the missing data is allocated with hint from s->insert_bio_sectors by the following lines of code, [code block 6] 926 cache_bio = bio_alloc_bioset(GFP_NOWAIT, 927 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS), 928 &dc->disk.bio_split); The oversized parameter 'sectors' may trigger panic 2) by BUG() from the agove code block.

Now let me explain how the panics happen with the oversized 'sectors'. In code block 5, replace_key is generated by macro KEY(). From the definition of macro KEY(), [code block 7] 71 #define KEY(inode, offset, size) \ 72 ((struct bkey) { \ 73 .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode), \ 74 .low = (offset) \ 75 })

Here 'size' is 16bits width embedded in 64bits member 'high' of struct bkey. But in code block 1, if "KEY_START(k) - bio->bi_iter.bi_sector" is very probably to be larger than (1<<16) - 1, which makes the bkey size calculation in code block 5 is overflowed. In one bug report the value of parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors' results the overflowed s->insert_bio_sectors in code block 4, then makes size field of s->iop.replace_key to be 0 in code block 5. Then the 0- sized s->iop.replace_key is inserted into the internal B+ tree as cache missing check key (a special key to detect and avoid a racing between normal write request and cache missing read request) as, [code block 8] 915 ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key);

Then the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey size check BUG_ON() in code block 2, and causes the kernel panic 1).

Another ke ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47275"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: avoid oversized read request in cache missing code path\n\nIn the cache missing code path of cached device, if a proper location\nfrom the internal B+ tree is matched for a cache miss range, function\ncached_dev_cache_miss() will be called in cache_lookup_fn() in the\nfollowing code block,\n[code block 1]\n  526         unsigned int sectors = KEY_INODE(k) == s-\u003eiop.inode\n  527                 ? min_t(uint64_t, INT_MAX,\n  528                         KEY_START(k) - bio-\u003ebi_iter.bi_sector)\n  529                 : INT_MAX;\n  530         int ret = s-\u003ed-\u003ecache_miss(b, s, bio, sectors);\n\nHere s-\u003ed-\u003ecache_miss() is the call backfunction pointer initialized as\ncached_dev_cache_miss(), the last parameter \u0027sectors\u0027 is an important\nhint to calculate the size of read request to backing device of the\nmissing cache data.\n\nCurrent calculation in above code block may generate oversized value of\n\u0027sectors\u0027, which consequently may trigger 2 different potential kernel\npanics by BUG() or BUG_ON() as listed below,\n\n1) BUG_ON() inside bch_btree_insert_key(),\n[code block 2]\n   886         BUG_ON(b-\u003eops-\u003eis_extents \u0026\u0026 !KEY_SIZE(k));\n2) BUG() inside biovec_slab(),\n[code block 3]\n   51         default:\n   52                 BUG();\n   53                 return NULL;\n\nAll the above panics are original from cached_dev_cache_miss() by the\noversized parameter \u0027sectors\u0027.\n\nInside cached_dev_cache_miss(), parameter \u0027sectors\u0027 is used to calculate\nthe size of data read from backing device for the cache missing. This\nsize is stored in s-\u003einsert_bio_sectors by the following lines of code,\n[code block 4]\n  909    s-\u003einsert_bio_sectors = min(sectors, bio_sectors(bio) + reada);\n\nThen the actual key inserting to the internal B+ tree is generated and\nstored in s-\u003eiop.replace_key by the following lines of code,\n[code block 5]\n  911   s-\u003eiop.replace_key = KEY(s-\u003eiop.inode,\n  912                    bio-\u003ebi_iter.bi_sector + s-\u003einsert_bio_sectors,\n  913                    s-\u003einsert_bio_sectors);\nThe oversized parameter \u0027sectors\u0027 may trigger panic 1) by BUG_ON() from\nthe above code block.\n\nAnd the bio sending to backing device for the missing data is allocated\nwith hint from s-\u003einsert_bio_sectors by the following lines of code,\n[code block 6]\n  926    cache_bio = bio_alloc_bioset(GFP_NOWAIT,\n  927                 DIV_ROUND_UP(s-\u003einsert_bio_sectors, PAGE_SECTORS),\n  928                 \u0026dc-\u003edisk.bio_split);\nThe oversized parameter \u0027sectors\u0027 may trigger panic 2) by BUG() from the\nagove code block.\n\nNow let me explain how the panics happen with the oversized \u0027sectors\u0027.\nIn code block 5, replace_key is generated by macro KEY(). From the\ndefinition of macro KEY(),\n[code block 7]\n  71 #define KEY(inode, offset, size)                                  \\\n  72 ((struct bkey) {                                                  \\\n  73      .high = (1ULL \u003c\u003c 63) | ((__u64) (size) \u003c\u003c 20) | (inode),     \\\n  74      .low = (offset)                                              \\\n  75 })\n\nHere \u0027size\u0027 is 16bits width embedded in 64bits member \u0027high\u0027 of struct\nbkey. But in code block 1, if \"KEY_START(k) - bio-\u003ebi_iter.bi_sector\" is\nvery probably to be larger than (1\u003c\u003c16) - 1, which makes the bkey size\ncalculation in code block 5 is overflowed. In one bug report the value\nof parameter \u0027sectors\u0027 is 131072 (= 1 \u003c\u003c 17), the overflowed \u0027sectors\u0027\nresults the overflowed s-\u003einsert_bio_sectors in code block 4, then makes\nsize field of s-\u003eiop.replace_key to be 0 in code block 5. Then the 0-\nsized s-\u003eiop.replace_key is inserted into the internal B+ tree as cache\nmissing check key (a special key to detect and avoid a racing between\nnormal write request and cache missing read request) as,\n[code block 8]\n  915   ret = bch_btree_insert_check_key(b, \u0026s-\u003eop, \u0026s-\u003eiop.replace_key);\n\nThen the 0-sized s-\u003eiop.replace_key as 3rd parameter triggers the bkey\nsize check BUG_ON() in code block 2, and causes the kernel panic 1).\n\nAnother ke\n---truncated---",
  "id": "GHSA-qj68-9gpw-8pq2",
  "modified": "2025-04-30T15:30:43Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47275"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41fe8d088e96472f63164e213de44ec77be69478"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/555002a840ab88468e252b0eedf0b05e2ce7099c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.