cve-2024-35798
Vulnerability from cvelistv5
Published
2024-05-17 13:23
Modified
2024-11-05 09:22
Severity ?
Summary
btrfs: fix race in read_extent_buffer_pages()
Impacted products
Vendor Product Version
Linux Linux Version: 6.5
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35798",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T15:26:19.488238Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-12T15:26:30.636Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:47.569Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent_io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0427c8ef8bbb",
              "status": "affected",
              "version": "d7172f52e993",
              "versionType": "git"
            },
            {
              "lessThan": "3a25878a3378",
              "status": "affected",
              "version": "d7172f52e993",
              "versionType": "git"
            },
            {
              "lessThan": "2885d54af2c2",
              "status": "affected",
              "version": "d7172f52e993",
              "versionType": "git"
            },
            {
              "lessThan": "ef1e68236b91",
              "status": "affected",
              "version": "d7172f52e993",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent_io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race in read_extent_buffer_pages()\n\nThere are reports from tree-checker that detects corrupted nodes,\nwithout any obvious pattern so possibly an overwrite in memory.\nAfter some debugging it turns out there\u0027s a race when reading an extent\nbuffer the uptodate status can be missed.\n\nTo prevent concurrent reads for the same extent buffer,\nread_extent_buffer_pages() performs these checks:\n\n    /* (1) */\n    if (test_bit(EXTENT_BUFFER_UPTODATE, \u0026eb-\u003ebflags))\n        return 0;\n\n    /* (2) */\n    if (test_and_set_bit(EXTENT_BUFFER_READING, \u0026eb-\u003ebflags))\n        goto done;\n\nAt this point, it seems safe to start the actual read operation. Once\nthat completes, end_bbio_meta_read() does\n\n    /* (3) */\n    set_extent_buffer_uptodate(eb);\n\n    /* (4) */\n    clear_bit(EXTENT_BUFFER_READING, \u0026eb-\u003ebflags);\n\nNormally, this is enough to ensure only one read happens, and all other\ncallers wait for it to finish before returning.  Unfortunately, there is\na racey interleaving:\n\n    Thread A | Thread B | Thread C\n    ---------+----------+---------\n       (1)   |          |\n             |    (1)   |\n       (2)   |          |\n       (3)   |          |\n       (4)   |          |\n             |    (2)   |\n             |          |    (1)\n\nWhen this happens, thread B kicks of an unnecessary read. Worse, thread\nC will see UPTODATE set and return immediately, while the read from\nthread B is still in progress.  This race could result in tree-checker\nerrors like this as the extent buffer is concurrently modified:\n\n    BTRFS critical (device dm-0): corrupted node, root=256\n    block=8550954455682405139 owner mismatch, have 11858205567642294356\n    expect [256, 18446744073709551360]\n\nFix it by testing UPTODATE again after setting the READING bit, and if\nit\u0027s been set, skip the unnecessary read.\n\n[ minor update of changelog ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:22:33.748Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80"
        },
        {
          "url": "https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215"
        }
      ],
      "title": "btrfs: fix race in read_extent_buffer_pages()",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35798",
    "datePublished": "2024-05-17T13:23:08.868Z",
    "dateReserved": "2024-05-17T12:19:12.341Z",
    "dateUpdated": "2024-11-05T09:22:33.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35798\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-17T14:15:12.170\",\"lastModified\":\"2024-05-17T18:35:35.070\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race in read_extent_buffer_pages()\\n\\nThere are reports from tree-checker that detects corrupted nodes,\\nwithout any obvious pattern so possibly an overwrite in memory.\\nAfter some debugging it turns out there\u0027s a race when reading an extent\\nbuffer the uptodate status can be missed.\\n\\nTo prevent concurrent reads for the same extent buffer,\\nread_extent_buffer_pages() performs these checks:\\n\\n    /* (1) */\\n    if (test_bit(EXTENT_BUFFER_UPTODATE, \u0026eb-\u003ebflags))\\n        return 0;\\n\\n    /* (2) */\\n    if (test_and_set_bit(EXTENT_BUFFER_READING, \u0026eb-\u003ebflags))\\n        goto done;\\n\\nAt this point, it seems safe to start the actual read operation. Once\\nthat completes, end_bbio_meta_read() does\\n\\n    /* (3) */\\n    set_extent_buffer_uptodate(eb);\\n\\n    /* (4) */\\n    clear_bit(EXTENT_BUFFER_READING, \u0026eb-\u003ebflags);\\n\\nNormally, this is enough to ensure only one read happens, and all other\\ncallers wait for it to finish before returning.  Unfortunately, there is\\na racey interleaving:\\n\\n    Thread A | Thread B | Thread C\\n    ---------+----------+---------\\n       (1)   |          |\\n             |    (1)   |\\n       (2)   |          |\\n       (3)   |          |\\n       (4)   |          |\\n             |    (2)   |\\n             |          |    (1)\\n\\nWhen this happens, thread B kicks of an unnecessary read. Worse, thread\\nC will see UPTODATE set and return immediately, while the read from\\nthread B is still in progress.  This race could result in tree-checker\\nerrors like this as the extent buffer is concurrently modified:\\n\\n    BTRFS critical (device dm-0): corrupted node, root=256\\n    block=8550954455682405139 owner mismatch, have 11858205567642294356\\n    expect [256, 18446744073709551360]\\n\\nFix it by testing UPTODATE again after setting the READING bit, and if\\nit\u0027s been set, skip the unnecessary read.\\n\\n[ minor update of changelog ]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige la ejecuci\u00f3n en read_extent_buffer_pages() Hay informes de tree-checker que detecta nodos corruptos, sin ning\u00fan patr\u00f3n obvio por lo que posiblemente se sobrescriba en la memoria. Despu\u00e9s de un poco de depuraci\u00f3n, resulta que hay una ejecuci\u00f3n cuando al leer un b\u00fafer de extensi\u00f3n se puede perder el estado de actualizaci\u00f3n. Para evitar lecturas simult\u00e1neas para el mismo b\u00fafer de extensi\u00f3n, read_extent_buffer_pages() realiza estas comprobaciones: /* (1) */ if (test_bit(EXTENT_BUFFER_UPTODATE, \u0026amp;eb-\u0026gt;bflags)) return 0; /* (2) */ if (test_and_set_bit(EXTENT_BUFFER_READING, \u0026amp;eb-\u0026gt;bflags)) ir a listo; En este punto, parece seguro iniciar la operaci\u00f3n de lectura real. Una vez que se completa, end_bbio_meta_read() hace /* (3) */ set_extent_buffer_uptodate(eb); /* (4) */ clear_bit(EXTENT_BUFFER_READING, \u0026amp;eb-\u0026gt;bflags); Normalmente, esto es suficiente para garantizar que solo se realice una lectura y que todos los dem\u00e1s llamantes esperen a que finalice antes de regresar. Desafortunadamente, hay un entrelazado racial: Hilo A | Hilo B | Rosca C ---------+----------+----------------- (1) | | | (1) | (2) | | (3) | | (4) | | | (2) | | | (1) Cuando esto sucede, el hilo B inicia una lectura innecesaria. Peor a\u00fan, el subproceso C ver\u00e1 la ACTUALIZACI\u00d3N configurada y regresar\u00e1 inmediatamente, mientras la lectura del subproceso B a\u00fan est\u00e1 en progreso. Esta ejecuci\u00f3n podr\u00eda dar como resultado errores del comprobador de \u00e1rbol como este, ya que el b\u00fafer de extensi\u00f3n se modifica simult\u00e1neamente: BTRFS cr\u00edtico (dispositivo dm-0): nodo da\u00f1ado, ra\u00edz=256 bloque=8550954455682405139 el propietario no coincide, tiene 11858205567642294356 expect [256, 18446744073709551360] Arreglarlo probando UPTODATE nuevamente despu\u00e9s de configurar el bit de LECTURA y, si se ha configurado, omita la lectura innecesaria. [actualizaci\u00f3n menor del registro de cambios]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.