CVE-2024-26944

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26944
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26944.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26944
Downstream
Related
Published
2024-05-01T05:18:04Z
Modified
2025-10-17T00:08:53.167906Z
Summary
btrfs: zoned: fix use-after-free in do_zone_finish()
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: fix use-after-free in dozonefinish()

Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070.

BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in dozonefinish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007

CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dumpstacklvl+0x5b/0x90 printreport+0xcf/0x670 ? _virtaddrvalid+0x200/0x3e0 kasanreport+0xd8/0x110 ? dozonefinish+0x91a/0xb90 [btrfs] ? dozonefinish+0x91a/0xb90 [btrfs] dozonefinish+0x91a/0xb90 [btrfs] btrfsdeleteunusedbgs+0x5e1/0x1750 [btrfs] ? _pfxbtrfsdeleteunusedbgs+0x10/0x10 [btrfs] ? btrfsputroot+0x2d/0x220 [btrfs] ? btrfscleanonedeletedsnapshot+0x299/0x430 [btrfs] cleanerkthread+0x21e/0x380 [btrfs] ? _pfxcleanerkthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? _pfxkthread+0x10/0x10 retfromfork+0x31/0x70 ? _pfxkthread+0x10/0x10 retfromforkasm+0x1b/0x30 </TASK>

Allocated by task 3493983: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 _kasankmalloc+0xaa/0xb0 btrfsallocdevice+0xb3/0x4e0 [btrfs] devicelistadd.constprop.0+0x993/0x1630 [btrfs] btrfsscanonedevice+0x219/0x3d0 [btrfs] btrfscontrolioctl+0x26e/0x310 [btrfs] _x64sysioctl+0x134/0x1b0 dosyscall64+0x99/0x190 entrySYSCALL64afterhwframe+0x6e/0x76

Freed by task 3494056: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3f/0x60 poisonslabobject+0x102/0x170 _kasanslabfree+0x32/0x70 kfree+0x11b/0x320 btrfsrmdevreplacefreesrcdev+0xca/0x280 [btrfs] btrfsdevreplacefinishing+0xd7e/0x14f0 [btrfs] btrfsdevreplacebyioctl+0x1286/0x25a0 [btrfs] btrfsioctl+0xb27/0x57d0 [btrfs] _x64sysioctl+0x134/0x1b0 dosyscall64+0x99/0x190 entrySYSCALL64afterhwframe+0x6e/0x76

The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)

The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entiremapcount:0 nrpagesmapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) pagetype: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

This UAF happens because we're accessing stale zone information of a already removed btrfsdevice in dozone_finish().

The sequence of events is as follows:

btrfsdevreplacestart btrfsscrubdev btrfsdevreplacefinishing btrfsdevreplaceupdatedeviceinmappingtree <-- devices replaced btrfsrmdevreplacefreesrcdev btrfsfreedevice <-- device freed

cleanerkthread btrfsdeleteunusedbgs btrfszonefinish dozonefinish <-- refers the freed device

The reason for this is that we're using a ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4dcbb8ab31c1292aea6a3f240e19523f633320c2
Fixed
34ca809e055eca5cfe63d9c7efbf80b7c21b4e57
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4dcbb8ab31c1292aea6a3f240e19523f633320c2
Fixed
1ec17ef59168a1a6f1105f5dc517f783839a5302

Affected versions

v5.*

v5.17
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-26944-7a0fc14b",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1ec17ef59168a1a6f1105f5dc517f783839a5302",
        "target": {
            "file": "fs/btrfs/zoned.c",
            "function": "do_zone_finish"
        },
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 2461.0,
            "function_hash": "167769436227192270313270889154492827608"
        }
    },
    {
        "id": "CVE-2024-26944-b814f8f6",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1ec17ef59168a1a6f1105f5dc517f783839a5302",
        "target": {
            "file": "fs/btrfs/zoned.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "296485909753592348215590702035423973730",
                "168870151593064014731992782391427668111",
                "190967533391762100296047511119884918694",
                "305734183601165156642472393042807156580",
                "323872210325311784680431332968123191995",
                "313972715112378856992143936745060230737",
                "193133904891312589228743778978961858447",
                "184927299036527615121285700409138451935",
                "188505058886581550624062103115505177042",
                "317861302494051890453606535245178224207",
                "190880779094411461120938330537060698748",
                "231919902297431052914146251260368951868",
                "47094099555610417519285860738891533573",
                "9192431344743619849023820040554908090",
                "255095236668510372343636010412503553765",
                "228629650719081065619324853137458336104",
                "286204902269261971518091630826564952999",
                "54258316318111234017000329040542654330",
                "302968128323629531079358534310626904704",
                "241347700797313431415036782978803120782",
                "272312178184303810642642164517396017842",
                "151857170148406037400288183407776186752",
                "206271085107374343257231836085817140430",
                "5232601418819513270062322455642124182",
                "300612717105267491561522875306362084842",
                "172323547174712419865065231350217730156",
                "339382015342740949587980342968302258401",
                "86843803705924374476335200030445445761"
            ],
            "threshold": 0.9
        }
    },
    {
        "id": "CVE-2024-26944-bf216758",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@34ca809e055eca5cfe63d9c7efbf80b7c21b4e57",
        "target": {
            "file": "fs/btrfs/zoned.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "296485909753592348215590702035423973730",
                "168870151593064014731992782391427668111",
                "190967533391762100296047511119884918694",
                "305734183601165156642472393042807156580",
                "323872210325311784680431332968123191995",
                "313972715112378856992143936745060230737",
                "193133904891312589228743778978961858447",
                "184927299036527615121285700409138451935",
                "188505058886581550624062103115505177042",
                "317861302494051890453606535245178224207",
                "190880779094411461120938330537060698748",
                "231919902297431052914146251260368951868",
                "47094099555610417519285860738891533573",
                "9192431344743619849023820040554908090",
                "255095236668510372343636010412503553765",
                "228629650719081065619324853137458336104",
                "286204902269261971518091630826564952999",
                "54258316318111234017000329040542654330",
                "302968128323629531079358534310626904704",
                "241347700797313431415036782978803120782",
                "272312178184303810642642164517396017842",
                "151857170148406037400288183407776186752",
                "206271085107374343257231836085817140430",
                "5232601418819513270062322455642124182",
                "300612717105267491561522875306362084842",
                "172323547174712419865065231350217730156",
                "339382015342740949587980342968302258401",
                "86843803705924374476335200030445445761"
            ],
            "threshold": 0.9
        }
    },
    {
        "id": "CVE-2024-26944-fbe5b649",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@34ca809e055eca5cfe63d9c7efbf80b7c21b4e57",
        "target": {
            "file": "fs/btrfs/zoned.c",
            "function": "do_zone_finish"
        },
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 2461.0,
            "function_hash": "167769436227192270313270889154492827608"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
6.8.3