Race Condition Affecting kernel-kdump-devel package, versions *


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RHEL7-KERNELKDUMPDEVEL-7627549
  • published 5 Aug 2024
  • disclosed 29 Jul 2024

How to fix?

There is no fixed version for RHEL:7 kernel-kdump-devel.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-kdump-devel package and not the kernel-kdump-devel package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

btrfs: scrub: handle RST lookup error correctly

[BUG] When running btrfs/060 with forced RST feature, it would crash the following ASSERT() inside scrub_read_endio():

ASSERT(sector_nr < stripe->nr_sectors);

Before that, we would have tree dump from btrfs_get_raid_extent_offset(), as we failed to find the RST entry for the range.

[CAUSE] Inside scrub_submit_extent_sector_read() every time we allocated a new bbio we immediately called btrfs_map_block() to make sure there was some RST range covering the scrub target.

But if btrfs_map_block() fails, we immediately call endio for the bbio, while the bbio is newly allocated, it's completely empty.

Then inside scrub_read_endio(), we go through the bvecs to find the sector number (as bi_sector is no longer reliable if the bio is submitted to lower layers).

And since the bio is empty, such bvecs iteration would not find any sector matching the sector, and return sector_nr == stripe->nr_sectors, triggering the ASSERT().

[FIX] Instead of calling btrfs_map_block() after allocating a new bbio, call btrfs_map_block() first.

Since our only objective of calling btrfs_map_block() is only to update stripe_len, there is really no need to do that after btrfs_alloc_bio().

This new timing would avoid the problem of handling empty bbio completely, and in fact fixes a possible race window for the old code, where if the submission thread is the only owner of the pending_io, the scrub would never finish (since we didn't decrease the pending_io counter).

Although the root cause of RST lookup failure still needs to be addressed.

CVSS Scores

version 3.1
Expand this section

Red Hat

5.5 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High