CVE-2024-50273

Summary

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reinitialize delayed ref list after deleting it from the list

At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively.

If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise.

So fix this by deleting from the list with list_del_init() instead.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < 2fd0948a483e9cb2d669c7199bc620a21c97673daffected
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < 93c5b8decc0ef39ba84f4211d2db6da0a4aefbebaffected
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < bf0b0c6d159767c0d1c21f793950d78486690ee0affected
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < c24fa427fc0ae827b2a3a07f13738cbf82c3f851affected
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < 2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6affected
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < f04be6d68f715c1473a8422fc0460f57b5e99931affected
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < 50a3933760b427759afdd23156a7280a19357a92affected
LinuxLinux1d57ee941692d0cc928526e21a1557b2ae3e11db < c9a75ec45f1111ef530ab186c2a7684d0a0c9245affected
LinuxLinux4.10affected
LinuxLinux0 < 4.10unaffected
LinuxLinux4.19.324 <= 4.19.*unaffected
LinuxLinux5.4.286 <= 5.4.*unaffected
LinuxLinux5.10.230 <= 5.10.*unaffected
LinuxLinux5.15.172 <= 5.15.*unaffected
LinuxLinux6.1.117 <= 6.1.*unaffected
LinuxLinux6.6.61 <= 6.6.*unaffected
LinuxLinux6.11.8 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References