CVE-2024-42077: Linux Kernel OCFS2 DIO Failure Vulnerability Fixed for Insufficient Transaction Credits

In the Linux kernel, a vulnerability has been resolved in OCFS2 (Oracle Cluster File System 2) related to Direct I/O (DIO) failure due to insufficient transaction credits. The problem was identified by Heming Zhao, who reported a customer-triggered kernel panic on a heavily fragmented OCFS2 filesystem.

The issue arises from the code in ocfs2_dio_end_io_write(), which estimates the required transaction credits by using ocfs2_calc_extend_credits(). However, this does not always account for the fact that an I/O operation could be very large and contain an arbitrary number of extents.

While extent tree manipulations can often extend the current transaction, this does not occur in all cases. For example, if the tree contains only single block extents, the ocfs2_mark_extent_written() function will be calling ocfs2_replace_extent_rec() constantly. In turn, this means the current transaction is never extended and, eventually, all transaction credits will be exhausted. When this happens, a warning is triggered in jbd2_journal_dirty_metadata(), and OCFS2 aborts as a response to the error.

To address this issue, the fix ensures that the transaction always has enough credits for one extent insert before each call of ocfs2_mark_extent_written().

Below is an excerpt from the kernel stack trace provided by Heming Zhao that demonstrates the problem:

PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error"
---
PID: xxx  TASK: xxxx  CPU: 5  COMMAND: "SubmitThread-CA"
# machine_kexec at ffffffff8c069932
#1 __crash_kexec at ffffffff8c1338fa
#2 panic at ffffffff8c1d69b9
#3 ocfs2_handle_error at ffffffffcc86cc [ocfs2]
#4 __ocfs2_abort at ffffffffcc88387 [ocfs2]
#5 ocfs2_journal_dirty at ffffffffcc51e98 [ocfs2]
#6 ocfs2_split_extent at ffffffffcc27ea3 [ocfs2]
#7 ocfs2_change_extent_flag at ffffffffcc28053 [ocfs2]
#8 ocfs2_mark_extent_written at ffffffffcc28347 [ocfs2]
#9 ocfs2_dio_end_io_write at ffffffffcc2bef9 [ocfs2]
#10 ocfs2_dio_end_io at ffffffffcc2cf5 [ocfs2]
#11 dio_complete at ffffffff8c2b9fa7
#12 do_blockdev_direct_IO at ffffffff8c2bc09f

For more information, you can refer to the original references

- Vulnerability report by Heming Zhao
- Fix commit in Linux kernel

In conclusion, the Linux kernel team has resolved a vulnerability in the OCFS2 filesystem related to DIO failure and insufficient transaction credits. The fix ensures that the transaction always has enough credits for an extent insert, which prevents kernel panics and other issues stemming from exhausted transaction credits in heavily fragmented OCFS2 filesystems.

Timeline

Published on: 07/29/2024 16:15:07 UTC
Last modified on: 07/30/2024 18:59:53 UTC