CVE-2024-56759: btrfs: fix use-after-free when COWing tree bock and tracing is enabled
First published: Mon Jan 06 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | <6.12.8 | |
| Linux Linux kernel | =6.13-rc1 | |
| Linux Linux kernel | =6.13-rc2 | |
| Linux Linux kernel | =6.13-rc3 | |
| Linux Linux kernel | =6.13-rc4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/c3a403d8ce36f5a809a492581de5ad17843e4701
- https://git.kernel.org/stable/c/44f52bbe96dfdbe4aca3818a2534520082a07040
- https://git.kernel.org/stable/c/526ff5b27f090fb15040471f892cd2c9899ce314
- https://git.kernel.org/stable/c/66376f1a73cba57fd0af2631d7888605b738e499
- https://git.kernel.org/stable/c/9a466b8693b9add05de99af00c7bdff8259ecf19
- https://git.kernel.org/stable/c/ba5120a2fb5f23b4d39d302e181aa5d4e28a90d1
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/references
- agent/type
- agent/author
- agent/event
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/6.13-rc1
- version/linux linux kernel/6.13-rc2
- version/linux linux kernel/6.13-rc3
- version/linux linux kernel/6.13-rc4