Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1199915pxa;
        Thu, 20 Aug 2020 05:28:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw7Ygp/SYktHayfG5fbWROixUAGamDOxdxKxMbCBfflr4gU4+BnArg6ckPWh5xw/ibGwyGL
X-Received: by 2002:a17:906:15cc:: with SMTP id l12mr3114669ejd.7.1597926488890;
        Thu, 20 Aug 2020 05:28:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597926488; cv=none;
        d=google.com; s=arc-20160816;
        b=zJl+sW5EODbWZcuEtKpQlH0S01KPdQq2cpSfxugd2q5Y+jAcjAcWSR2/+K2+Vh/fxS
         YMlTSNioubOKfatdBGp9gm34aZHxgSzDHQ1bwe0RNywxLoHhgexHRqHhzgOgVyZHOlZd
         41GYg13CJVLqIZSk9npz9lJWPt2spQ7+fbuv9RfoX91dvTFlIkHRyievgLwOVjXD9o5/
         hWkzeZC3Qyu0h6gPcPOWMi+MJXd45g3vjYknXRoiGOpGoVzXdgYPr3UAG3GLUfiifAmK
         aGDV73dHkPDcfYXboouh+e5SchEGyMwvEKZCbqylnuK9NGmdOOCjtngKB7N9Uv1RpRpp
         lJAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=lGLwWcpLKq+HnN8cLjyBbA3y/q/nQJMAOmxSsgoYeEs=;
        b=TLJ3VnifsH1dYg4tPGlnan7Jb/b+Bv3QWT9qqVIR5FZTC9E209njBd7JWcY2skBDe7
         Lm6n4THFhQzK3wpiMF8AjYoTAZyiDIkxccGJdSQpzrL/0NC9BUjobhN5v2UzS6H7yl7Z
         IagFUCRtD12IQvPydj/t9LYssHpcxPvt4ESbJXgEJa6NTOCSYaT3uZeBwNXjP0LTZYTU
         Cg94GY0vrrJ1Zx3XKVIg1CC2YI5Yw3LjWtCxty4pe00dLUBJDcOTFE+ui0QVohuAZcZt
         Q6te1vuzhJ0GQw1nhAHt6UQF+86KeTbNIhH/sM1EwxvJhPt5kM4d0p+ueleZ5pDfewZ9
         1KuQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Ao+vz7PF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g17si1055148eji.729.2020.08.20.05.27.45;
        Thu, 20 Aug 2020 05:28:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Ao+vz7PF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730053AbgHTMZM (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Thu, 20 Aug 2020 08:25:12 -0400
Received: from mail.kernel.org ([198.145.29.99]:35664 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729960AbgHTJxi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 Aug 2020 05:53:38 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E9BE32078D;
        Thu, 20 Aug 2020 09:53:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1597917218;
        bh=vSitispOIH9uthRDNZAz+wOCPCaFL10vqRce8X+JzYc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Ao+vz7PFjMoaydpvj+Kk6FzltgAVjY9WWdF+GcltdemKae6FAPXpkI6Ydb7eg+b1C
         qORLUTZkbtT7zNJsyGzU2sQ88Zg94Jkh5sJ6i+WlGACb/hGmejMGLBUkOqnahx6WnR
         DFjlg1LD/XfOJ8fMbcJ9+rC4+ARtUI3/Xxq+AhhA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Josef Bacik <josef@toxicpanda.com>,
        David Sterba <dsterba@suse.com>
Subject: [PATCH 4.19 15/92] btrfs: only search for left_info if there is no right_info in try_merge_free_space
Date:   Thu, 20 Aug 2020 11:21:00 +0200
Message-Id: <20200820091538.337979619@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200820091537.490965042@linuxfoundation.org>
References: <20200820091537.490965042@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Josef Bacik <josef@toxicpanda.com>

commit bf53d4687b8f3f6b752f091eb85f62369a515dfd upstream.

In try_to_merge_free_space we attempt to find entries to the left and
right of the entry we are adding to see if they can be merged.  We
search for an entry past our current info (saved into right_info), and
then if right_info exists and it has a rb_prev() we save the rb_prev()
into left_info.

However there's a slight problem in the case that we have a right_info,
but no entry previous to that entry.  At that point we will search for
an entry just before the info we're attempting to insert.  This will
simply find right_info again, and assign it to left_info, making them
both the same pointer.

Now if right_info _can_ be merged with the range we're inserting, we'll
add it to the info and free right_info.  However further down we'll
access left_info, which was right_info, and thus get a use-after-free.

Fix this by only searching for the left entry if we don't find a right
entry at all.

The CVE referenced had a specially crafted file system that could
trigger this use-after-free. However with the tree checker improvements
we no longer trigger the conditions for the UAF.  But the original
conditions still apply, hence this fix.

Reference: CVE-2019-19448
Fixes: 963030817060 ("Btrfs: use hybrid extents+bitmap rb tree for free space")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/free-space-cache.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -2169,7 +2169,7 @@ out:
 static bool try_merge_free_space(struct btrfs_free_space_ctl *ctl,
 			  struct btrfs_free_space *info, bool update_stat)
 {
-	struct btrfs_free_space *left_info;
+	struct btrfs_free_space *left_info = NULL;
 	struct btrfs_free_space *right_info;
 	bool merged = false;
 	u64 offset = info->offset;
@@ -2184,7 +2184,7 @@ static bool try_merge_free_space(struct
 	if (right_info && rb_prev(&right_info->offset_index))
 		left_info = rb_entry(rb_prev(&right_info->offset_index),
 				     struct btrfs_free_space, offset_index);
-	else
+	else if (!right_info)
 		left_info = tree_search_offset(ctl, offset - 1, 0, 0);
 
 	if (right_info && !right_info->bitmap) {