CVE - CVE-2024-35798

CVE-ID
CVE-2024-35798	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race in read_extent_buffer_pages() There are reports from tree-checker that detects corrupted nodes, without any obvious pattern so possibly an overwrite in memory. After some debugging it turns out there's a race when reading an extent buffer the uptodate status can be missed. To prevent concurrent reads for the same extent buffer, read_extent_buffer_pages() performs these checks: /* (1) / if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags)) return 0; / (2) / if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags)) goto done; At this point, it seems safe to start the actual read operation. Once that completes, end_bbio_meta_read() does / (3) / set_extent_buffer_uptodate(eb); / (4) */ clear_bit(EXTENT_BUFFER_READING, &eb->bflags); Normally, this is enough to ensure only one read happens, and all other callers wait for it to finish before returning. Unfortunately, there is a racey interleaving: Thread A \| Thread B \| Thread C ---------+----------+--------- (1) \| \| \| (1) \| (2) \| \| (3) \| \| (4) \| \| \| (2) \| \| \| (1) When this happens, thread B kicks of an unnecessary read. Worse, thread C will see UPTODATE set and return immediately, while the read from thread B is still in progress. This race could result in tree-checker errors like this as the extent buffer is concurrently modified: BTRFS critical (device dm-0): corrupted node, root=256 block=8550954455682405139 owner mismatch, have 11858205567642294356 expect [256, 18446744073709551360] Fix it by testing UPTODATE again after setting the READING bit, and if it's been set, skip the unnecessary read. [ minor update of changelog ]
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052 URL:https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052 MISC:https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1 URL:https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1 MISC:https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80 URL:https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80 MISC:https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215 URL:https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215
Assigning CNA
kernel.org
Date Record Created
20240517	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240517)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)