Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-35798

Severity CVSS v4.0:
Pending analysis
Type:
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
17/05/2024
Last modified:
19/09/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix race in read_extent_buffer_pages()<br /> <br /> There are reports from tree-checker that detects corrupted nodes,<br /> without any obvious pattern so possibly an overwrite in memory.<br /> After some debugging it turns out there&amp;#39;s a race when reading an extent<br /> buffer the uptodate status can be missed.<br /> <br /> To prevent concurrent reads for the same extent buffer,<br /> read_extent_buffer_pages() performs these checks:<br /> <br /> /* (1) */<br /> if (test_bit(EXTENT_BUFFER_UPTODATE, &amp;eb-&gt;bflags))<br /> return 0;<br /> <br /> /* (2) */<br /> if (test_and_set_bit(EXTENT_BUFFER_READING, &amp;eb-&gt;bflags))<br /> goto done;<br /> <br /> At this point, it seems safe to start the actual read operation. Once<br /> that completes, end_bbio_meta_read() does<br /> <br /> /* (3) */<br /> set_extent_buffer_uptodate(eb);<br /> <br /> /* (4) */<br /> clear_bit(EXTENT_BUFFER_READING, &amp;eb-&gt;bflags);<br /> <br /> Normally, this is enough to ensure only one read happens, and all other<br /> callers wait for it to finish before returning. Unfortunately, there is<br /> a racey interleaving:<br /> <br /> Thread A | Thread B | Thread C<br /> ---------+----------+---------<br /> (1) | |<br /> | (1) |<br /> (2) | |<br /> (3) | |<br /> (4) | |<br /> | (2) |<br /> | | (1)<br /> <br /> When this happens, thread B kicks of an unnecessary read. Worse, thread<br /> C will see UPTODATE set and return immediately, while the read from<br /> thread B is still in progress. This race could result in tree-checker<br /> errors like this as the extent buffer is concurrently modified:<br /> <br /> BTRFS critical (device dm-0): corrupted node, root=256<br /> block=8550954455682405139 owner mismatch, have 11858205567642294356<br /> expect [256, 18446744073709551360]<br /> <br /> Fix it by testing UPTODATE again after setting the READING bit, and if<br /> it&amp;#39;s been set, skip the unnecessary read.<br /> <br /> [ minor update of changelog ]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
4.70
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.5 (including) 6.6.24 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.12 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.8.3 (excluding)
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools