CVE-2021-46950 - Resolving md/raid1 Corruption Bug in Linux Kernel with Proper Failure Indication

A recent vulnerability has been discovered and resolved in the Linux kernel (CVE-2021-46950). Specifically, this vulnerability was identified within the md/raid1 module, causing data corruption issues in raid1 arrays using bitmaps. The Linux kernel has introduced a patch to address these issues, which we will be discussing in this post. We will go over the details of the vulnerability, its impact, the resolution, and an example code snippet demonstrating the updated code. We will also provide references to the original source material for those who would like to explore the subject further.

Vulnerability Details

The vulnerability was discovered in the md/raid1 module of the Linux kernel, specifically within the function raid1_end_write_request. This function is responsible for ending a write request to the raid1 array, either successfully or with a failure, depending on the status of the request.

Previously, if a write request to the raid1 array failed, the function would not correctly indicate that the request had failed. This led to the bitmap bits for the failed I/O being cleared when they should have remained set. Consequently, the request would not be retried, leading to data corruption in the raid1 array.

Resolution

The patch introduced to resolve CVE-2021-46950 ensures that the request is properly retried or failed depending on the necessary outcome. This is achieved by updating the raid1_end_write_request function in the md/raid1 module to correctly handle failed write requests, either by retrying the request (R1BIO_WriteError) or failing it (R1BIO_Degraded).

Code Snippet

Below is a code snippet demonstrating the updated raid1_end_write_request function from the Linux kernel patch:

static int raid1_end_write_request(struct bio *bio)
{
    /* ... */

    if (!bio->bi_status) {
        /* ... */
    } else {
        conf->mddev->resync_write_errors = 1;
        if (test_bit(R1BIO_WriteError, &r1_bio->state))
            md_error(conf->mddev, mirror->rdev);
        else if (test_bit(R1BIO_Degraded, &r1_bio->state))
            /* ... */
    }

    /* ... */
}

The critical change in this patch is the inclusion of conf->mddev->resync_write_errors = 1; in the failure leg of raid1_end_write_request, effectively ensuring the request either retries (R1BIO_WriteError) or fails (R1BIO_Degraded) appropriately.

Original References

The following links provide further information on CVE-2021-46950, its impact, and the patch introduced to resolve the vulnerability:

1. Linux kernel Git commit page: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=063031766a29c519a24234978625571be7a672
2. CVE-2021-46950 on NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-46950
3. Linux kernel mailing list announcement: https://lore.kernel.org/lkml/162913743739.484168.13066207560196096144.sendpatchset.eml@localhost.localdomain/

Conclusion

CVE-2021-46950 is a significant vulnerability that had the potential to cause data corruption in raid1 arrays using bitmaps. The patch introduced by the Linux kernel ensures that failed write requests are properly indicated and retried or failed as required, mitigating the risk of data corruption. It is highly recommended for users running systems with raid1 arrays to update their Linux kernel to a version containing the patch addressing this vulnerability.

Timeline

Published on: 02/27/2024 19:04:06 UTC
Last modified on: 04/10/2024 20:13:16 UTC