CVE-2024-36027

{"id": "CVE-2024-36027", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2024-05-30T16:15:11.070", "references": [{"url": "https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer\n\nBtrfs clears the content of an extent buffer marked as\nEXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is\nintroduced to prevent a write hole of an extent buffer, which is once\nallocated, marked dirty, but turns out unnecessary and cleaned up within\none transaction operation.\n\nCurrently, btrfs_clear_buffer_dirty() marks the extent buffer as\nEXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call\nhappens while the buffer is under IO (with the WRITEBACK flag set,\nwithout the DIRTY flag), we can add the ZEROOUT flag and clear the\nbuffer's content just before a bio submission. As a result:\n\n1) it can lead to adding faulty delayed reference item which leads to a\n FS corrupted (EUCLEAN) error, and\n\n2) it writes out cleared tree node on disk\n\nThe former issue is previously discussed in [1]. The corruption happens\nwhen it runs a delayed reference update. So, on-disk data is safe.\n\n[1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/\n\nThe latter one can reach on-disk data. But, as that node is already\nprocessed by btrfs_clear_buffer_dirty(), that will be invalidated in the\nnext transaction commit anyway. So, the chance of hitting the corruption\nis relatively small.\n\nAnyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to\nkeep the content under IO intact."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: zonado: no marcar ZEROOUT en el b\u00fafer de extensi\u00f3n no sucio Btrfs borra el contenido de un b\u00fafer de extensi\u00f3n marcado como EXTENT_BUFFER_ZONED_ZEROOUT antes del env\u00edo de la biograf\u00eda. Este mecanismo se introduce para evitar un agujero de escritura en un b\u00fafer de extensi\u00f3n, que una vez asignado, se marca como sucio, pero resulta innecesario y se limpia dentro de una operaci\u00f3n de transacci\u00f3n. Actualmente, btrfs_clear_buffer_dirty() marca el b\u00fafer de extensi\u00f3n como EXTENT_BUFFER_ZONED_ZEROOUT y omite la funci\u00f3n de entrada. Si esta llamada ocurre mientras el b\u00fafer est\u00e1 bajo IO (con el indicador WRITEBACK configurado, sin el indicador DIRTY), podemos agregar el indicador ZEROOUT y borrar el contenido del b\u00fafer justo antes de enviar una biograf\u00eda. Como resultado: 1) puede provocar que se agregue un elemento de referencia retrasado defectuoso, lo que provoca un error de FS da\u00f1ado (EUCLEAN), y 2) escribe el nodo del \u00e1rbol borrado en el disco. El primer problema se analiz\u00f3 anteriormente en [1]. La corrupci\u00f3n ocurre cuando ejecuta una actualizaci\u00f3n de referencia retrasada. Por lo tanto, los datos en el disco est\u00e1n seguros. [1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/ Este \u00faltimo puede acceder a datos en disco. Pero, como ese nodo ya est\u00e1 procesado por btrfs_clear_buffer_dirty(), de todos modos se invalidar\u00e1 en la pr\u00f3xima confirmaci\u00f3n de transacci\u00f3n. Por lo tanto, la posibilidad de combatir la corrupci\u00f3n es relativamente peque\u00f1a. De todos modos, debemos omitir marcar ZEROOUT en un b\u00fafer de extensi\u00f3n que no sea DIRTY, para mantener intacto el contenido bajo IO."}], "lastModified": "2025-09-18T14:18:21.993", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6B3F478-AAC3-4675-897F-870080589B51", "versionEndExcluding": "6.8.8", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A06B2CCF-3F43-4FA9-8773-C83C3F5764B2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}