CVE-2024-56759

Summary

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free when COWing tree bock and tracing is enabled

When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free.

Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3083ee2e18b701122a3b841db83448543a87a583 < ba5120a2fb5f23b4d39d302e181aa5d4e28a90d1affected
LinuxLinux3083ee2e18b701122a3b841db83448543a87a583 < 526ff5b27f090fb15040471f892cd2c9899ce314affected
LinuxLinux3083ee2e18b701122a3b841db83448543a87a583 < 66376f1a73cba57fd0af2631d7888605b738e499affected
LinuxLinux3083ee2e18b701122a3b841db83448543a87a583 < 9a466b8693b9add05de99af00c7bdff8259ecf19affected
LinuxLinux3083ee2e18b701122a3b841db83448543a87a583 < c3a403d8ce36f5a809a492581de5ad17843e4701affected
LinuxLinux3083ee2e18b701122a3b841db83448543a87a583 < 44f52bbe96dfdbe4aca3818a2534520082a07040affected
LinuxLinux3.4affected
LinuxLinux0 < 3.4unaffected
LinuxLinux5.10.233 <= 5.10.*unaffected
LinuxLinux5.15.176 <= 5.15.*unaffected
LinuxLinux6.1.124 <= 6.1.*unaffected
LinuxLinux6.6.70 <= 6.6.*unaffected
LinuxLinux6.12.8 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References