CVE-2024-56759
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free.
Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 3083ee2e18b701122a3b841db83448543a87a583 < ba5120a2fb5f23b4d39d302e181aa5d4e28a90d1 | affected |
| Linux | Linux | 3083ee2e18b701122a3b841db83448543a87a583 < 526ff5b27f090fb15040471f892cd2c9899ce314 | affected |
| Linux | Linux | 3083ee2e18b701122a3b841db83448543a87a583 < 66376f1a73cba57fd0af2631d7888605b738e499 | affected |
| Linux | Linux | 3083ee2e18b701122a3b841db83448543a87a583 < 9a466b8693b9add05de99af00c7bdff8259ecf19 | affected |
| Linux | Linux | 3083ee2e18b701122a3b841db83448543a87a583 < c3a403d8ce36f5a809a492581de5ad17843e4701 | affected |
| Linux | Linux | 3083ee2e18b701122a3b841db83448543a87a583 < 44f52bbe96dfdbe4aca3818a2534520082a07040 | affected |
| Linux | Linux | 3.4 | affected |
| Linux | Linux | 0 < 3.4 | unaffected |
| Linux | Linux | 5.10.233 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.176 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.124 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.70 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.8 <= 6.12.* | unaffected |
| Linux | Linux | 6.13 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
References
- https://git.kernel.org/stable/c/ba5120a2fb5f23b4d39d302e181aa5d4e28a90d1
- https://git.kernel.org/stable/c/526ff5b27f090fb15040471f892cd2c9899ce314
- https://git.kernel.org/stable/c/66376f1a73cba57fd0af2631d7888605b738e499
- https://git.kernel.org/stable/c/9a466b8693b9add05de99af00c7bdff8259ecf19
- https://git.kernel.org/stable/c/c3a403d8ce36f5a809a492581de5ad17843e4701
- https://git.kernel.org/stable/c/44f52bbe96dfdbe4aca3818a2534520082a07040
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.