cve-2024-35949
Vulnerability from cvelistv5
Published
2024-05-20 09:17
Modified
2024-11-05 09:25
Severity ?
Summary
btrfs: make sure that WRITTEN is set on all metadata blocks
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35949",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:38:20.543684Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:40:35.661Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.957Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/tree-checker.c",
            "fs/btrfs/tree-checker.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ef3ba8ce8cf7",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "e03418abde87",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/tree-checker.c",
            "fs/btrfs/tree-checker.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn\u0027t set on the leaf, and then the\nextended leaf checks don\u0027t get run which we rely on to validate all of\nthe item pointers to make sure we don\u0027t access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking.  This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n  [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n  [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n  [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n  [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n  [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n  [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n  [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n  [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n  [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n  [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n  [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n  [2.621] FS:  00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n  [2.621] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n  [2.621] Call Trace:\n  [2.621]  \u003cTASK\u003e\n  [2.621]  ? show_regs+0x74/0x80\n  [2.621]  ? die_addr+0x46/0xc0\n  [2.621]  ? exc_general_protection+0x161/0x2a0\n  [2.621]  ? asm_exc_general_protection+0x26/0x30\n  [2.621]  ? btrfs_get_16+0x33a/0x6d0\n  [2.621]  ? btrfs_get_16+0x34b/0x6d0\n  [2.621]  ? btrfs_get_16+0x33a/0x6d0\n  [2.621]  ? __pfx_btrfs_get_16+0x10/0x10\n  [2.621]  ? __pfx_mutex_unlock+0x10/0x10\n  [2.621]  btrfs_match_dir_item_name+0x101/0x1a0\n  [2.621]  btrfs_lookup_dir_item+0x1f3/0x280\n  [2.621]  ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n  [2.621]  btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:25:32.154Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273"
        }
      ],
      "title": "btrfs: make sure that WRITTEN is set on all metadata blocks",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35949",
    "datePublished": "2024-05-20T09:17:38.893Z",
    "dateReserved": "2024-05-17T13:50:33.134Z",
    "dateUpdated": "2024-11-05T09:25:32.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35949\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-20T10:15:10.413\",\"lastModified\":\"2024-11-21T09:21:16.360\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: make sure that WRITTEN is set on all metadata blocks\\n\\nWe previously would call btrfs_check_leaf() if we had the check\\nintegrity code enabled, which meant that we could only run the extended\\nleaf checks if we had WRITTEN set on the header flags.\\n\\nThis leaves a gap in our checking, because we could end up with\\ncorruption on disk where WRITTEN isn\u0027t set on the leaf, and then the\\nextended leaf checks don\u0027t get run which we rely on to validate all of\\nthe item pointers to make sure we don\u0027t access memory outside of the\\nextent buffer.\\n\\nHowever, since 732fab95abe2 (\\\"btrfs: check-integrity: remove\\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\\\") we no longer call\\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\\never call it on blocks that are being written out, and thus have WRITTEN\\nset, or that are being read in, which should have WRITTEN set.\\n\\nAdd checks to make sure we have WRITTEN set appropriately, and then make\\nsure __btrfs_check_leaf() always does the item checking.  This will\\nprotect us from file systems that have been corrupted and no longer have\\nWRITTEN set on some of the blocks.\\n\\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\\nKASAN as out-of-bound access in the eb accessors. The example is a dir\\nitem at the end of an eb.\\n\\n  [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\\n  [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\\n  [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\\n  [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\\n  [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\n  [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\\n  [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\\n  [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\\n  [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\\n  [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\\n  [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\\n  [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\\n  [2.621] FS:  00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\\n  [2.621] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\\n  [2.621] Call Trace:\\n  [2.621]  \u003cTASK\u003e\\n  [2.621]  ? show_regs+0x74/0x80\\n  [2.621]  ? die_addr+0x46/0xc0\\n  [2.621]  ? exc_general_protection+0x161/0x2a0\\n  [2.621]  ? asm_exc_general_protection+0x26/0x30\\n  [2.621]  ? btrfs_get_16+0x33a/0x6d0\\n  [2.621]  ? btrfs_get_16+0x34b/0x6d0\\n  [2.621]  ? btrfs_get_16+0x33a/0x6d0\\n  [2.621]  ? __pfx_btrfs_get_16+0x10/0x10\\n  [2.621]  ? __pfx_mutex_unlock+0x10/0x10\\n  [2.621]  btrfs_match_dir_item_name+0x101/0x1a0\\n  [2.621]  btrfs_lookup_dir_item+0x1f3/0x280\\n  [2.621]  ? __pfx_btrfs_lookup_dir_item+0x10/0x10\\n  [2.621]  btrfs_get_tree+0xd25/0x1910\\n\\n[ copy more details from report ]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: aseg\u00farese de que WRITTEN est\u00e9 configurado en todos los bloques de metadatos. Anteriormente llamar\u00edamos a btrfs_check_leaf() si ten\u00edamos el c\u00f3digo de verificaci\u00f3n de integridad habilitado, lo que significaba que solo pod\u00edamos ejecutar la hoja extendida. comprueba si ten\u00edamos ESCRITO configurado en las banderas del encabezado. Esto deja un vac\u00edo en nuestra verificaci\u00f3n, porque podr\u00edamos terminar con corrupci\u00f3n en el disco donde ESCRITO no est\u00e1 configurado en la hoja, y luego no se ejecutan las verificaciones extendidas de la hoja, en las que confiamos para validar todos los punteros de elementos a aseg\u00farese de no acceder a la memoria fuera del b\u00fafer de extensi\u00f3n. Sin embargo, desde 732fab95abe2 (\\\"btrfs: check-integrity: remove CONFIG_BTRFS_FS_CHECK_INTEGRITY option\\\") ya no llamamos a btrfs_check_leaf() desde btrfs_mark_buffer_dirty(), lo que significa que solo lo llamamos en bloques que se est\u00e1n escribiendo y, por lo tanto, tienen configurado WRITTEN. o que se est\u00e1n leyendo, que deber\u00edan tener configurado ESCRITO. Agregue comprobaciones para asegurarse de que hemos escrito ESCRITO correctamente y luego aseg\u00farese de que __btrfs_check_leaf() siempre realice la verificaci\u00f3n del elemento. Esto nos proteger\u00e1 de sistemas de archivos que se han corrompido y ya no tienen ESCRITO configurado en algunos de los bloques. Esto se produjo en una imagen dise\u00f1ada que modificaba el bit ESCRITO y KASAN lo inform\u00f3 como acceso fuera de los l\u00edmites en los descriptores de acceso eb. El ejemplo es un elemento de directorio al final de un eb. [2.042] Advertencia BTRFS (bucle de dispositivo 1): inicio de miembro eb incorrecto: ptr 0x3fff inicio 30572544 desplazamiento de miembro 16410 tama\u00f1o 2 [2.040] falla de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI [2.537 ] KASAN: tal vez acceso a memoria salvaje en el rango [0x0005088000000018-0x000508800000001f] [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1 [2.729] Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) ), BIOS 1.15.0-1 01/04/2014 [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0 [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206 [2.621] RAX: 0000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0 [2.621 ] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748 [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9 [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e 8 [2.621] FS : 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2.621] : 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0 [2.621] Seguimiento de llamadas: [2.621]  [2.621] ? show_regs+0x74/0x80 [2.621] ? die_addr+0x46/0xc0 [2.621] ? exc_general_protection+0x161/0x2a0 [2.621] ? asm_exc_general_protection+0x26/0x30 [2.621]? btrfs_get_16+0x33a/0x6d0 [2.621] ? btrfs_get_16+0x34b/0x6d0 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? __pfx_btrfs_get_16+0x10/0x10 [2.621] ? __pfx_mutex_unlock+0x10/0x10 [2.621] btrfs_match_dir_item_name+0x101/0x1a0 [2.621] btrfs_lookup_dir_item+0x1f3/0x280 [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10 [2.621] btrfs_get_tree+0xd25/0x1910 [copiar m\u00e1s detalles del informe]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.