CVE-2024-56581
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/12/2024
Last modified:
11/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: ref-verify: fix use-after-free after invalid ref action<br />
<br />
At btrfs_ref_tree_mod() after we successfully inserted the new ref entry<br />
(local variable &#39;ref&#39;) into the respective block entry&#39;s rbtree (local<br />
variable &#39;be&#39;), if we find an unexpected action of BTRFS_DROP_DELAYED_REF,<br />
we error out and free the ref entry without removing it from the block<br />
entry&#39;s rbtree. Then in the error path of btrfs_ref_tree_mod() we call<br />
btrfs_free_ref_cache(), which iterates over all block entries and then<br />
calls free_block_entry() for each one, and there we will trigger a<br />
use-after-free when we are called against the block entry to which we<br />
added the freed ref entry to its rbtree, since the rbtree still points<br />
to the block entry, as we didn&#39;t remove it from the rbtree before freeing<br />
it in the error path at btrfs_ref_tree_mod(). Fix this by removing the<br />
new ref entry from the rbtree before freeing it.<br />
<br />
Syzbot report this with the following stack traces:<br />
<br />
BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615<br />
__btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523<br />
update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512<br />
btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594<br />
btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754<br />
btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116<br />
btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314<br />
btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline]<br />
btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23<br />
btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482<br />
btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293<br />
vfs_unlink+0x365/0x650 fs/namei.c:4469<br />
do_unlinkat+0x4ae/0x830 fs/namei.c:4533<br />
__do_sys_unlinkat fs/namei.c:4576 [inline]<br />
__se_sys_unlinkat fs/namei.c:4569 [inline]<br />
__x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1<br />
__btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521<br />
update_ref_for_cow+0x96a/0x11f0<br />
btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594<br />
btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754<br />
btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116<br />
btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411<br />
__btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030<br />
btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]<br />
__btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137<br />
__btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171<br />
btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313<br />
prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586<br />
relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611<br />
btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081<br />
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377<br />
__btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161<br />
btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538<br />
BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615<br />
__btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523<br />
update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512<br />
btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594<br />
btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754<br />
btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116<br />
btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411<br />
__btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030<br />
btrfs_update_delayed_i<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 5.4.287 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.231 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.174 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.120 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.64 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4275ac2741941c9c7c2293619fdbacb9f70ba85b
- https://git.kernel.org/stable/c/6370db28af9a8ae3bbdfe97f8a48f8f995e144cf
- https://git.kernel.org/stable/c/6fd018aa168e472ce35be32296d109db6adb87ea
- https://git.kernel.org/stable/c/7c4e39f9d2af4abaf82ca0e315d1fd340456620f
- https://git.kernel.org/stable/c/a6f9e7a0bf1185c9070c0de03bb85eafb9abd650
- https://git.kernel.org/stable/c/d2b85ce0561fde894e28fa01bd5d32820d585006
- https://git.kernel.org/stable/c/dfb9fe7de61f34cc241ab3900bdde93341096e0e