CVE-2024-35798
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race in read_extent_buffer_pages()
There are reports from tree-checker that detects corrupted nodes, without any obvious pattern so possibly an overwrite in memory. After some debugging it turns out there's a race when reading an extent buffer the uptodate status can be missed.
To prevent concurrent reads for the same extent buffer, read_extent_buffer_pages() performs these checks:
/* (1) */
if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
return 0;
/* (2) */
if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))
goto done;
At this point, it seems safe to start the actual read operation. Once that completes, end_bbio_meta_read() does
/* (3) */
set_extent_buffer_uptodate(eb);
/* (4) */
clear_bit(EXTENT_BUFFER_READING, &eb->bflags);
Normally, this is enough to ensure only one read happens, and all other callers wait for it to finish before returning. Unfortunately, there is a racey interleaving:
Thread A | Thread B | Thread C
---------+----------+---------
(1) | |
| (1) |
(2) | |
(3) | |
(4) | |
| (2) |
| | (1)
When this happens, thread B kicks of an unnecessary read. Worse, thread C will see UPTODATE set and return immediately, while the read from thread B is still in progress. This race could result in tree-checker errors like this as the extent buffer is concurrently modified:
BTRFS critical (device dm-0): corrupted node, root=256
block=8550954455682405139 owner mismatch, have 11858205567642294356
expect [256, 18446744073709551360]
Fix it by testing UPTODATE again after setting the READING bit, and if it's been set, skip the unnecessary read.
[ minor update of changelog ]
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d7172f52e9933b6ec9305e7fe6e829e3939dba04 < 0427c8ef8bbb7f304de42ef51d69c960e165e052 | affected |
| Linux | Linux | d7172f52e9933b6ec9305e7fe6e829e3939dba04 < 3a25878a3378adce5d846300c9570f15aa7f7a80 | affected |
| Linux | Linux | d7172f52e9933b6ec9305e7fe6e829e3939dba04 < 2885d54af2c2e1d910e20d5c8045bae40e02fbc1 | affected |
| Linux | Linux | d7172f52e9933b6ec9305e7fe6e829e3939dba04 < ef1e68236b9153c27cb7cf29ead0c532870d4215 | affected |
| Linux | Linux | 6.5 | affected |
| Linux | Linux | 0 < 6.5 | unaffected |
| Linux | Linux | 6.6.24 <= 6.6.* | unaffected |
| Linux | Linux | 6.7.12 <= 6.7.* | unaffected |
| Linux | Linux | 6.8.3 <= 6.8.* | unaffected |
| Linux | Linux | 6.9 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052
- https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80
- https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1
- https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215
References
- https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052
- https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80
- https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1
- https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.