CVE-2024-49868
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
[BUG] Syzbot reported a NULL pointer dereference with the following crash:
FAULT_INJECTION: forcing a failure. start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 … BTRFS info (device loop0): balance: ended with status: -12 Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667] RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926 Call Trace: <TASK> commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496 btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430 del_balance_item fs/btrfs/volumes.c:3678 [inline] reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742 btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
[CAUSE] The allocation failure happens at the start_transaction() inside prepare_to_relocate(), and during the error handling we call unset_reloc_control(), which makes fs_info->balance_ctl to be NULL.
Then we continue the error path cleanup in btrfs_balance() by calling reset_balance_state() which will call del_balance_item() to fully delete the balance item in the root tree.
However during the small window between set_reloc_contrl() and unset_reloc_control(), we can have a subvolume tree update and created a reloc_root for that subvolume.
Then we go into the final btrfs_commit_transaction() of del_balance_item(), and into btrfs_update_reloc_root() inside commit_fs_roots().
That function checks if fs_info->reloc_ctl is in the merge_reloc_tree stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer dereference.
[FIX] Just add extra check on fs_info->reloc_ctl inside btrfs_update_reloc_root(), before checking fs_info->reloc_ctl->merge_reloc_tree.
That DEAD_RELOC_TREE handling is to prevent further modification to the reloc tree during merge stage, but since there is no reloc_ctl at all, we do not need to bother that.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < 1282f001cbf56e5dd6e90a18e205a566793f4be0 | affected |
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < d73d48acf36f57362df7e4f9d76568168bf5e944 | affected |
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < 37fee9c220b92c3b7bf22b51c51dde5364e7590b | affected |
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < d13249c0df7aab885acb149695f82c54c0822a70 | affected |
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < 7ad0c5868f2f0418619089513d95230c66cb7eb4 | affected |
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < dc02c1440705e3451abd1c2c8114a5c1bb188e9f | affected |
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < 39356ec0e319ed07627b3a0f402d0608546509e6 | affected |
| Linux | Linux | 3fd0a5585eb98e074fb9934549c8d85c49756c0d < c3b47f49e83197e8dffd023ec568403bcdbb774b | affected |
| Linux | Linux | 2.6.35 | affected |
| Linux | Linux | 0 < 2.6.35 | unaffected |
| Linux | Linux | 5.4.285 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.227 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.168 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.113 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.55 <= 6.6.* | unaffected |
| Linux | Linux | 6.10.14 <= 6.10.* | unaffected |
| Linux | Linux | 6.11.3 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
References
- https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0
- https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944
- https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b
- https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70
- https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4
- https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f
- https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6
- https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.