CVE-2024-35849: btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
First published: Fri May 17 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <4.19.313 | |
| Linux Kernel | >=4.20<5.4.275 | |
| Linux Kernel | >=5.5<5.10.216 | |
| Linux Kernel | >=5.11<5.15.158 | |
| Linux Kernel | >=5.16<6.1.90 | |
| Linux Kernel | >=6.2<6.6.30 | |
| Linux Kernel | >=6.7<6.8.9 | |
| Linux Kernel | =6.9-rc1 | |
| Linux Kernel | =6.9-rc2 | |
| Linux Kernel | =6.9-rc3 | |
| Linux Kernel | =6.9-rc4 | |
| Linux Kernel | =6.9-rc5 | |
| Debian Linux | =10.0 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.133-1 6.12.22-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf
- https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6
- https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc
- https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772
- https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86
- https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6
- https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d
- https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54
- https://launchpad.net/bugs/cve/CVE-2024-35849
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35849
- https://nvd.nist.gov/vuln/detail/CVE-2024-35849
- https://security-tracker.debian.org/tracker/CVE-2024-35849
- https://ubuntu.com/security/CVE-2024-35849
- https://git.kernel.org/linus/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf
Frequently Asked Questions
What is the severity of CVE-2024-35849?
CVE-2024-35849 is classified as having a medium severity level due to the potential information leak.
How do I fix CVE-2024-35849?
To mitigate CVE-2024-35849, upgrade to the patched Linux kernel versions listed in the advisory.
What types of systems are affected by CVE-2024-35849?
CVE-2024-35849 affects multiple versions of the Linux kernel across various distributions.
What is the nature of the flaw in CVE-2024-35849?
CVE-2024-35849 involves an information leak in the btrfs_ioctl_logical_to_ino() function of the Linux kernel.
When was CVE-2024-35849 reported?
CVE-2024-35849 was reported and fixed in early 2024.
- agent/title
- agent/type
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/description
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.9-rc1
- version/linux kernel/6.9-rc2
- version/linux kernel/6.9-rc3
- version/linux kernel/6.9-rc4
- version/linux kernel/6.9-rc5
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0
- package-manager/debian