CVE-2024-49869

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-49869
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49869.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-49869
Related
Published
2024-10-21T18:15:08Z
Modified
2024-10-24T21:50:08.234362Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: send: fix buffer overflow detection when copying path to cache entry

Starting with commit c0247d289e73 ("btrfs: send: annotate struct namecacheentry with _countedby()") we annotated the variable length array "name" from the namecacheentry structure with _countedby() to improve overflow detection. However that alone was not correct, because the length of that array does not match the "name_len" field - it matches that plus 1 to include the NUL string terminator, so that makes a fortified kernel think there's an overflow and report a splat like this:

strcpy: detected buffer overflow: 20 byte write of buffer size 19 WARNING: CPU: 3 PID: 3310 at fortifyreport+0x45/0x50 CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1 Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC23.330.7 X64 03/15/2018 RIP: 0010:fortifyreport+0x45/0x50 Code: 48 8b 34 (...) RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246 RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027 RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8 RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400 R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8 FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0 Call Trace: <TASK> ? warn+0x12a/0x1d0 ? _fortifyreport+0x45/0x50 ? reportbug+0x154/0x1c0 ? handlebug+0x42/0x70 ? excinvalidop+0x1a/0x50 ? asmexcinvalidop+0x1a/0x20 ? _fortifyreport+0x45/0x50 _fortifypanic+0x9/0x10 _getcurnameandparent+0x3bc/0x3c0 getcurpath+0x207/0x3b0 sendextentdata+0x709/0x10d0 ? findparentnodes+0x22df/0x25d0 ? masnomem+0x13/0x90 ? mtreeinsertrange+0xa5/0x110 ? btrfslrucachestore+0x5f/0x1e0 ? iterateextentinodes+0x52d/0x5a0 processextent+0xa96/0x11a0 ? _pfxlookupbackrefcache+0x10/0x10 ? _pfxstorebackrefcache+0x10/0x10 ? _pfxiteratebackrefs+0x10/0x10 ? _pfxcheckextentitem+0x10/0x10 changedcb+0x6fa/0x930 ? treeadvance+0x362/0x390 ? memcmpextentbuffer+0xd7/0x160 sendsubvol+0xf0a/0x1520 btrfsioctlsend+0x106b/0x11d0 ? _pfxclonerootcmpsort+0x10/0x10 _btrfsioctlsend+0x1ac/0x240 btrfsioctl+0x75b/0x850 _sesysioctl+0xca/0x150 dosyscall64+0x85/0x160 ? _countmemcgevents+0x69/0x100 ? handlemmfault+0x1327/0x15c0 ? _sesysrtsigprocmask+0xf1/0x180 ? syscallexittousermode+0x75/0xa0 ? dosyscall64+0x91/0x160 ? douseraddrfault+0x21d/0x630 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7fae145eeb4f Code: 00 48 89 (...) RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIGRAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004 RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927 R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8 R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004 </TASK>

Fix this by not storing the NUL string terminator since we don't actually need it for name cache entries, this way "namelen" corresponds to the actual size of the "name" array. This requires marking the "name" array field with _nonstring and using memcpy() instead of strcpy() as recommended by the guidelines at:

https://github.com/KSPP/linux/issues/90

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.11.4-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.10.11-1~bpo12+1
6.10.11-1
6.10.12-1
6.11~rc4-1~exp1
6.11~rc5-1~exp1
6.11-1~exp1
6.11.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}