CVE-2024-58089

{"id": "CVE-2024-58089", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-03-12T10:15:16.440", "references": [{"url": "https://git.kernel.org/stable/c/0283ee1912c8e243c931f4ee5b3672e954fe0384", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/21333148b5c9e52f41fafcedec3810b56a5e0e40", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/72dad8e377afa50435940adfb697e070d3556670", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double accounting race when btrfs_run_delalloc_range() failed\n\n[BUG]\nWhen running btrfs with block size (4K) smaller than page size (64K,\naarch64), there is a very high chance to crash the kernel at\ngeneric/750, with the following messages:\n(before the call traces, there are 3 extra debug messages added)\n\n BTRFS warning (device dm-3): read-write for sector size 4096 with page size 65536 is experimental\n BTRFS info (device dm-3): checking UUID tree\n hrtimer: interrupt took 5451385 ns\n BTRFS error (device dm-3): cow_file_range failed, root=4957 inode=257 start=1605632 len=69632: -28\n BTRFS error (device dm-3): run_delalloc_nocow failed, root=4957 inode=257 start=1605632 len=69632: -28\n BTRFS error (device dm-3): failed to run delalloc range, root=4957 ino=257 folio=1572864 submit_bitmap=8-15 start=1605632 len=69632: -28\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 3020984 at ordered-data.c:360 can_finish_ordered_extent+0x370/0x3b8 [btrfs]\n CPU: 2 UID: 0 PID: 3020984 Comm: kworker/u24:1 Tainted: G OE 6.13.0-rc1-custom+ #89\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n pc : can_finish_ordered_extent+0x370/0x3b8 [btrfs]\n lr : can_finish_ordered_extent+0x1ec/0x3b8 [btrfs]\n Call trace:\n can_finish_ordered_extent+0x370/0x3b8 [btrfs] (P)\n can_finish_ordered_extent+0x1ec/0x3b8 [btrfs] (L)\n btrfs_mark_ordered_io_finished+0x130/0x2b8 [btrfs]\n extent_writepage+0x10c/0x3b8 [btrfs]\n extent_write_cache_pages+0x21c/0x4e8 [btrfs]\n btrfs_writepages+0x94/0x160 [btrfs]\n do_writepages+0x74/0x190\n filemap_fdatawrite_wbc+0x74/0xa0\n start_delalloc_inodes+0x17c/0x3b0 [btrfs]\n btrfs_start_delalloc_roots+0x17c/0x288 [btrfs]\n shrink_delalloc+0x11c/0x280 [btrfs]\n flush_space+0x288/0x328 [btrfs]\n btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n process_one_work+0x228/0x680\n worker_thread+0x1bc/0x360\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n ---[ end trace 0000000000000000 ]---\n BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1605632 OE len=16384 to_dec=16384 left=0\n BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1622016 OE len=12288 to_dec=12288 left=0\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1634304 OE len=8192 to_dec=4096 left=0\n CPU: 1 UID: 0 PID: 3286940 Comm: kworker/u24:3 Tainted: G W OE 6.13.0-rc1-custom+ #89\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: btrfs_work_helper [btrfs] (btrfs-endio-write)\n pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : process_one_work+0x110/0x680\n lr : worker_thread+0x1bc/0x360\n Call trace:\n process_one_work+0x110/0x680 (P)\n worker_thread+0x1bc/0x360 (L)\n worker_thread+0x1bc/0x360\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n Code: f84086a1 f9000fe1 53041c21 b9003361 (f9400661)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Oops: Fatal exception\n SMP: stopping secondary CPUs\n SMP: failed to stop secondary CPUs 2-3\n Dumping ftrace buffer:\n (ftrace buffer empty)\n Kernel Offset: 0x275bb9540000 from 0xffff800080000000\n PHYS_OFFSET: 0xffff8fbba0000000\n CPU features: 0x100,00000070,00801250,8201720b\n\n[CAUSE]\nThe above warning is triggered immediately after the delalloc range\nfailure, this happens in the following sequence:\n\n- Range [1568K, 1636K) is dirty\n\n 1536K 1568K 1600K 1636K 1664K\n | |/////////|////////| |\n\n Where 1536K, 1600K and 1664K are page boundaries (64K page size)\n\n- Enter extent_writepage() for page 1536K\n\n- Enter run_delalloc_nocow() with locke\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: se corrige la doble ejecuci\u00f3n de contabilidad cuando btrfs_run_delalloc_range() falla [ERROR] Al ejecutar btrfs con un tama\u00f1o de bloque (4K) menor que el tama\u00f1o de p\u00e1gina (64K, aarch64), hay una gran posibilidad de que se bloquee el kernel en generic/750, con los siguientes mensajes: (antes de los seguimientos de llamadas, se agregan 3 mensajes de depuraci\u00f3n adicionales) Advertencia de BTRFS (dispositivo dm-3): lectura y escritura para tama\u00f1o de sector 4096 con tama\u00f1o de p\u00e1gina 65536 es experimental Informaci\u00f3n de BTRFS (dispositivo dm-3): comprobando \u00e1rbol UUID hrtimer: la interrupci\u00f3n tom\u00f3 5451385 ns Error de BTRFS (dispositivo dm-3): cow_file_range fall\u00f3, root=4957 inode=257 start=1605632 len=69632: -28 Error de BTRFS (dispositivo dm-3): run_delalloc_nocow fall\u00f3, ra\u00edz=4957 inodo=257 inicio=1605632 len=69632: -28 Error de BTRFS (dispositivo dm-3): no se pudo ejecutar el rango delalloc, ra\u00edz=4957 ino=257 folio=1572864 submit_bitmap=8-15 inicio=1605632 len=69632: -28 ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 2 PID: 3020984 at ordered-data.c:360 can_finish_ordered_extent+0x370/0x3b8 [btrfs] CPU: 2 UID: 0 PID: 3020984 Comm: kworker/u24:1 Tainted: G OE 6.13.0-rc1-custom+ #89 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : can_finish_ordered_extent+0x370/0x3b8 [btrfs] lr : can_finish_ordered_extent+0x1ec/0x3b8 [btrfs] Call trace: can_finish_ordered_extent+0x370/0x3b8 [btrfs] (P) can_finish_ordered_extent+0x1ec/0x3b8 [btrfs] (L) btrfs_mark_ordered_io_finished+0x130/0x2b8 [btrfs] extent_writepage+0x10c/0x3b8 [btrfs] extent_write_cache_pages+0x21c/0x4e8 [btrfs] btrfs_writepages+0x94/0x160 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x74/0xa0 start_delalloc_inodes+0x17c/0x3b0 [btrfs] btrfs_start_delalloc_roots+0x17c/0x288 [btrfs] shrink_delalloc+0x11c/0x280 [btrfs] flush_space+0x288/0x328 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x228/0x680 worker_thread+0x1bc/0x360 kthread+0x100/0x118 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1605632 OE len=16384 to_dec=16384 left=0 BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1622016 OE len=12288 to_dec=12288 left=0 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1634304 OE len=8192 to_dec=4096 left=0 CPU: 1 UID: 0 PID: 3286940 Comm: kworker/u24:3 Tainted: G W OE 6.13.0-rc1-custom+ #89 Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: btrfs_work_helper [btrfs] (btrfs-endio-write) pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : process_one_work+0x110/0x680 lr : worker_thread+0x1bc/0x360 Call trace: process_one_work+0x110/0x680 (P) worker_thread+0x1bc/0x360 (L) worker_thread+0x1bc/0x360 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: f84086a1 f9000fe1 53041c21 b9003361 (f9400661) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception SMP: stopping secondary CPUs SMP: failed to stop secondary CPUs 2-3 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: 0x275bb9540000 from 0xffff800080000000 PHYS_OFFSET: 0xffff8fbba0000000 CPU features: 0x100,00000070,00801250,8201720b [CAUSE] The above warning is triggered immediately after the delalloc range failure, this happens in the following sequence: - Range [1568K, 1636K) is dirty 1536K 1568K 1600K 1636K 1664K | |/////////|////////| | Where 1536K, 1600K and 1664K are page boundaries (64K page size) - Enter extent_writepage() for page 1536K - Enter run_delalloc_nocow() with locke ---truncado---"}], "lastModified": "2025-03-13T16:21:17.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B01A86DD-3782-4226-B75E-C55791CCFDF6", "versionEndExcluding": "6.12.17", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72E69ABB-9015-43A6-87E1-5150383CFFD9", "versionEndExcluding": "6.13.5", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.19.73:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95AAB7F6-7CB7-4223-8494-F756447DC6FF"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}