{"uuid": "3a55b7f2-f5cb-46ca-8d3d-9b0c2a21d3cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-35849", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/14753", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-35849\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.\n\ud83d\udccf Published: 2024-05-17T14:47:27.486Z\n\ud83d\udccf Modified: 2025-05-04T09:06:47.671Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772\n2. https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86\n3. https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6\n4. https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d\n5. https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6\n6. https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc\n7. https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54\n8. https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf", "creation_timestamp": "2025-05-04T09:18:07.000000Z"}