CVE-2024-50273
- Source
- https://cve.org/CVERecord?id=CVE-2024-50273
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50273.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50273
- Downstream
- Related
- Published
- 2024-11-19T01:30:12.589Z
- Modified
- 2026-03-11T07:53:34.699898Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- btrfs: reinitialize delayed ref list after deleting it from the list
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reinitialize delayed ref list after deleting it from the list
At insertdelayedref() if we need to update the action of an existing ref to BTRFSDROPDELAYEDREF, we delete the ref from its ref head's refaddlist using listdel(), which leaves the ref's addlist member not reinitialized, as listdel() sets the next and prev members of the list to LISTPOISON1 and LISTPOISON2, respectively.
If later we end up calling dropdelayedref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at dropdelayedref() we call listempty() against the ref's addlist, which returns false since the list was not reinitialized after the listdel() and as a consequence we call listdel() again at dropdelayedref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIGLISTHARDENED and CONFIGDEBUGLIST are set or invalid poison pointer dereferences otherwise.
So fix this by deleting from the list with listdelinit() instead.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50273.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6
- https://git.kernel.org/stable/c/2fd0948a483e9cb2d669c7199bc620a21c97673d
- https://git.kernel.org/stable/c/50a3933760b427759afdd23156a7280a19357a92
- https://git.kernel.org/stable/c/93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb
- https://git.kernel.org/stable/c/bf0b0c6d159767c0d1c21f793950d78486690ee0
- https://git.kernel.org/stable/c/c24fa427fc0ae827b2a3a07f13738cbf82c3f851
- https://git.kernel.org/stable/c/c9a75ec45f1111ef530ab186c2a7684d0a0c9245
- https://git.kernel.org/stable/c/f04be6d68f715c1473a8422fc0460f57b5e99931
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50273.json
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-50273
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1d57ee941692d0cc928526e21a1557b2ae3e11dbFixed2fd0948a483e9cb2d669c7199bc620a21c97673dFixed93c5b8decc0ef39ba84f4211d2db6da0a4aefbebFixedbf0b0c6d159767c0d1c21f793950d78486690ee0Fixedc24fa427fc0ae827b2a3a07f13738cbf82c3f851Fixed2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6Fixedf04be6d68f715c1473a8422fc0460f57b5e99931Fixed50a3933760b427759afdd23156a7280a19357a92Fixedc9a75ec45f1111ef530ab186c2a7684d0a0c9245