CVE-2024-50217

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50217
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50217.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50217
Downstream
Related
Published
2024-11-09T11:15:07Z
Modified
2025-08-09T20:01:26Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free of block device file in _btrfsfreeextradevids()

Mounting btrfs from two images (which have the same one fsid and two different devuuids) in certain executing order may trigger an UAF for variable 'device->bdevfile' in _btrfsfreeextradevids(). And following are the details:

  1. Attach image1 to loop0, attach image2 to loop1, and scan btrfs devices by ioctl(BTRFSIOCSCAN_DEV):

          /  btrfs_device_1 → loop0
    

    fsdevice \ btrfsdevice_2 → loop1

  2. mount /dev/loop0 /mnt btrfsopendevices btrfsdevice1->bdevfile = btrfsgetbdevandsb(loop0) btrfsdevice2->bdevfile = btrfsgetbdevandsb(loop1) btrfsfillsuper openctree fail: btrfsclosedevices // -ENOMEM btrfsclosebdev(btrfsdevice1) fput(btrfsdevice1->bdevfile) // btrfsdevice1->bdevfile is freed btrfsclosebdev(btrfsdevice2) fput(btrfsdevice2->bdevfile)

  3. mount /dev/loop1 /mnt btrfsopendevices btrfsgetbdevandsb(&bdevfile) // EIO, btrfsdevice1->bdevfile is not assigned, // which points to a freed memory area btrfsdevice2->bdevfile = btrfsgetbdevandsb(loop1) btrfsfillsuper openctree btrfsfreeextradevids if (btrfsdevice1->bdevfile) fput(btrfsdevice1->bdev_file) // UAF !

Fix it by setting 'device->bdevfile' as 'NULL' after closing the btrfsdevice in btrfscloseone_device().

References

Affected packages