CVE-2024-50217

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free of block device file in _btrfsfreeextradevids()

Mounting btrfs from two images (which have the same one fsid and two different devuuids) in certain executing order may trigger an UAF for variable 'device->bdevfile' in _btrfsfreeextradevids(). And following are the details:

1. Attach image1 to loop0, attach image2 to loop1, and scan btrfs devices by ioctl(BTRFSIOCSCAN_DEV):

         /  btrfs_device_1 → loop0
   

   fsdevice \ btrfsdevice_2 → loop1

2. mount /dev/loop0 /mnt btrfsopendevices btrfsdevice1->bdevfile = btrfsgetbdevandsb(loop0) btrfsdevice2->bdevfile = btrfsgetbdevandsb(loop1) btrfsfillsuper openctree fail: btrfsclosedevices // -ENOMEM btrfsclosebdev(btrfsdevice1) fput(btrfsdevice1->bdevfile) // btrfsdevice1->bdevfile is freed btrfsclosebdev(btrfsdevice2) fput(btrfsdevice2->bdevfile)

3. mount /dev/loop1 /mnt btrfsopendevices btrfsgetbdevandsb(&bdevfile) // EIO, btrfsdevice1->bdevfile is not assigned, // which points to a freed memory area btrfsdevice2->bdevfile = btrfsgetbdevandsb(loop1) btrfsfillsuper openctree btrfsfreeextradevids if (btrfsdevice1->bdevfile) fput(btrfsdevice1->bdev_file) // UAF !

Fix it by setting 'device->bdevfile' as 'NULL' after closing the btrfsdevice in btrfscloseone_device().