cve-2024-26644
Vulnerability from cvelistv5
Published
2024-03-26 15:17
Modified
2024-11-05 09:13
Severity ?
EPSS score ?
Summary
btrfs: don't abort filesystem when attempting to snapshot deleted subvolume
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T16:07:39.514220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T16:07:49.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.716Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bdf872bcfe6",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "0877497dc978",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "6e6bca99e8d8",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "ec794a752819",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "d8680b722f0f",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "7081929ab257",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t abort filesystem when attempting to snapshot deleted subvolume\n\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\n\n BTRFS: Transaction aborted (error -2)\n WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n Call Trace:\n \u003cTASK\u003e\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? __warn+0x81/0x130\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? report_bug+0x171/0x1a0\n ? handle_bug+0x3a/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n create_pending_snapshots+0x92/0xc0 [btrfs]\n btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n btrfs_mksubvol+0x301/0x4d0 [btrfs]\n btrfs_mksnapshot+0x80/0xb0 [btrfs]\n __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n btrfs_ioctl+0x8a6/0x2650 [btrfs]\n ? kmem_cache_free+0x22/0x340\n ? do_sys_openat2+0x97/0xe0\n __x64_sys_ioctl+0x97/0xd0\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n RIP: 0033:0x7fe20abe83af\n RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n BTRFS info (device vdc: state EA): forced readonly\n BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\n\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\n\nFix it by checking the source root\u0027s refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion."
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T09:13:07.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464"
},
{
"url": "https://git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c"
},
{
"url": "https://git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b"
},
{
"url": "https://git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256"
},
{
"url": "https://git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff"
},
{
"url": "https://git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a"
}
],
"title": "btrfs: don\u0027t abort filesystem when attempting to snapshot deleted subvolume",
"x_generator": {
"engine": "bippy-9e1c9544281a"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26644",
"datePublished": "2024-03-26T15:17:17.614Z",
"dateReserved": "2024-02-19T14:20:24.138Z",
"dateUpdated": "2024-11-05T09:13:07.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-26644\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-26T16:15:12.137\",\"lastModified\":\"2024-11-05T10:15:36.880\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: don\u0027t abort filesystem when attempting to snapshot deleted subvolume\\n\\nIf the source file descriptor to the snapshot ioctl refers to a deleted\\nsubvolume, we get the following abort:\\n\\n BTRFS: Transaction aborted (error -2)\\n WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\\n Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\\n CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\\n RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\\n RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\\n RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\\n RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\\n RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\\n R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\\n R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\\n FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\\n Call Trace:\\n \u003cTASK\u003e\\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\\n ? __warn+0x81/0x130\\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\\n ? report_bug+0x171/0x1a0\\n ? handle_bug+0x3a/0x70\\n ? exc_invalid_op+0x17/0x70\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\\n create_pending_snapshots+0x92/0xc0 [btrfs]\\n btrfs_commit_transaction+0x66b/0xf40 [btrfs]\\n btrfs_mksubvol+0x301/0x4d0 [btrfs]\\n btrfs_mksnapshot+0x80/0xb0 [btrfs]\\n __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\\n btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\\n btrfs_ioctl+0x8a6/0x2650 [btrfs]\\n ? kmem_cache_free+0x22/0x340\\n ? do_sys_openat2+0x97/0xe0\\n __x64_sys_ioctl+0x97/0xd0\\n do_syscall_64+0x46/0xf0\\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n RIP: 0033:0x7fe20abe83af\\n RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\\n RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\\n RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\\n R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\\n \u003c/TASK\u003e\\n ---[ end trace 0000000000000000 ]---\\n BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\\n BTRFS info (device vdc: state EA): forced readonly\\n BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\\n BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\\n\\nThis happens because create_pending_snapshot() initializes the new root\\nitem as a copy of the source root item. This includes the refs field,\\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\\nfinds the root and returns -ENOENT if refs == 0, which causes\\ncreate_pending_snapshot() to abort.\\n\\nFix it by checking the source root\u0027s refs before attempting the\\nsnapshot, but after locking subvol_sem to avoid racing with deletion.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: no aborte el sistema de archivos al intentar crear una instant\u00e1nea del subvolumen eliminado. Si el descriptor del archivo fuente de la instant\u00e1nea ioctl se refiere a un subvolumen eliminado, obtenemos la siguiente cancelaci\u00f3n: BTRFS: transacci\u00f3n abortada (error -2) ADVERTENCIA: CPU: 0 PID: 833 en fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs] M\u00f3dulos vinculados en: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c CPU: 0 PID: 833 Comm: t_snapshot_dele No contaminado 6.7.0-rc6 #2 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 01/04/2014 RIP: 0010:create_pending_snapshot +0x1040/0x1190 [btrfs] RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 RDX: ffff99 827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 RBP: ffffa09c01337c00 R08: 00000000000000000 R09: ffffa09c01337998 R10: 000000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:000000000000 0000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 Rastreo de llamadas: \u0026lt; TAREA\u0026gt; ? create_pending_snapshot+0x1040/0x1190 [btrfs]? __advertir+0x81/0x130 ? create_pending_snapshot+0x1040/0x1190 [btrfs]? report_bug+0x171/0x1a0? handle_bug+0x3a/0x70? exc_invalid_op+0x17/0x70? asm_exc_invalid_op+0x1a/0x20? create_pending_snapshot+0x1040/0x1190 [btrfs]? create_pending_snapshot+0x1040/0x1190 [btrfs] create_pending_snapshots+0x92/0xc0 [btrfs] btrfs_commit_transaction+0x66b/0xf40 [btrfs] btrfs_mksubvol+0x301/0x4d0 [btrfs] btrfs_mksnapshot+0x8 0/0xb0 [btrfs] __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs] btrfs_ioctl_snap_create_v2+ 0xc4/0x150 [btrfs] btrfs_ioctl+0x8a6/0x2650 [btrfs] ? kmem_cache_free+0x22/0x340? do_sys_openat2+0x97/0xe0 __x64_sys_ioctl+0x97/0xd0 do_syscall_64+0x46/0xf0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe20abe83af RSP: 002b:00007ffe6eff13 60 EFLAGS: 00000246 ORIG_RAX: 00000000000000010 RAX: ffffffffffffffda RBX: 00000000000000004 RCX: 00007fe20abe83af RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 R10: 0000000000000000 R11: 00 00000000000246 R12: 0000000000000000 R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 ---[ final de seguimiento 0000000000000000 ]--- BTRFS: error ( dispositivo vdc: estado A) en create_pending_snapshot:1875: errno=-2 No existe tal entrada Informaci\u00f3n BTRFS (dispositivo vdc: estado EA): solo lectura forzada Advertencia BTRFS (dispositivo vdc: estado EA): omitir confirmaci\u00f3n de transacci\u00f3n abortada. BTRFS: error (dispositivo vdc: estado EA) en cleanup_transaction:2055: errno=-2 No existe tal entrada. Esto sucede porque create_pending_snapshot() inicializa el nuevo elemento ra\u00edz como una copia del elemento ra\u00edz de origen. Esto incluye el campo de referencias, que es 0 para un subvolumen eliminado. Por lo tanto, la llamada a btrfs_insert_root() inserta una ra\u00edz con refs == 0. btrfs_get_new_fs_root() luego encuentra la ra\u00edz y devuelve -ENOENT si refs == 0, lo que hace que create_pending_snapshot() aborte. Solucionelo verificando las referencias de la ra\u00edz de origen antes de intentar la instant\u00e1nea, pero despu\u00e9s de bloquear subvol_sem para evitar correr con la eliminaci\u00f3n.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.