CVE-2024-35849

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-35849
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35849.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-35849
Downstream
Related
Published
2024-05-17T14:47:27.486Z
Modified
2026-05-28T03:53:15.699290661Z
Summary
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix information leak in btrfsioctllogicaltoino()

Syzbot reported the following information leak for in btrfsioctllogicaltoino():

BUG: KMSAN: kernel-infoleak in instrumentcopytouser include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copytouser+0xbc/0x110 lib/usercopy.c:40 instrumentcopytouser include/linux/instrumented.h:114 [inline] copytouser+0xbc/0x110 lib/usercopy.c:40 copytouser include/linux/uaccess.h:191 [inline] btrfsioctllogicaltoino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfsioctl+0x714/0x1260 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:904 [inline] __sesysioctl+0x261/0x450 fs/ioctl.c:890 _x64sysioctl+0x96/0xe0 fs/ioctl.c:890 x64syscall+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls64.h:17 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcf/0x1e0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

Uninit was created at: __kmalloclargenode+0x231/0x370 mm/slub.c:3921 __dokmallocnode mm/slub.c:3954 [inline] __kmallocnode+0xb07/0x1060 mm/slub.c:3973 kmallocnode include/linux/slab.h:648 [inline] kvmallocnode+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] initdata_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfsioctllogicaltoino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfsioctl+0x714/0x1260 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:904 [inline] __sesysioctl+0x261/0x450 fs/ioctl.c:890 _x64sysioctl+0x96/0xe0 fs/ioctl.c:890 x64syscall+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls64.h:17 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcf/0x1e0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000

This happens, because we're copying a 'struct btrfsdatacontainer' back to user-space. This btrfsdatacontainer is allocated in 'initdatacontainer()' via kvmalloc(), which does not zero-fill the memory.

Fix this by using kvzalloc() which zeroes out the memory on allocation.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35849.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a542ad1bafc7df9fc16de8a6894b350a4df75572
Fixed
689efe22e9b5b7d9d523119a9a5c3c17107a0772
Fixed
73db209dcd4ae026021234d40cfcb2fb5b564b86
Fixed
30189e54ba80e3209d34cfeea87b848f6ae025e6
Fixed
e58047553a4e859dafc8d1d901e1de77c9dd922d
Fixed
8bdbcfaf3eac42f98e5486b3d7e130fa287811f6
Fixed
3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc
Fixed
fddc19631c51d9c17d43e9f822a7bc403af88d54
Fixed
2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35849.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
4.19.313
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.275
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.216
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.158
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.90
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.30
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35849.json"