CVE-2024-49868

MEDIUM EPSS 20.4%
Published Oct 21, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Oct 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion [BUG] Syzbot reported a NULL pointer dereference with the following crash: FAULT_INJECTION: forcing a failure. start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 ... BTRFS info (device loop0): balance: ended with status: -12 Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667] RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926 Call Trace: <TASK> commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496 btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430 del_balance_item fs/btrfs/volumes.c:3678 [inline] reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742 btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSE] The allocation failure happens at the start_transaction() inside prepare_to_relocate(), and during the error handling we call unset_reloc_control(), which makes fs_info->balance_ctl to be NULL. Then we continue the error path cleanup in btrfs_balance() by calling reset_balance_state() which will call del_balance_item() to fully delete the balance item in the root tree. However during the small window between set_reloc_contrl() and unset_reloc_control(), we can have a subvolume tree update and created a reloc_root for that subvolume. Then we go into the final btrfs_commit_transaction() of del_balance_item(), and into btrfs_update_reloc_root() inside commit_fs_roots(). That function checks if fs_info->reloc_ctl is in the merge_reloc_tree stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer dereference. [FIX] Just add extra check on fs_info->reloc_ctl inside btrfs_update_reloc_root(), before checking fs_info->reloc_ctl->merge_reloc_tree. That DEAD_RELOC_TREE handling is to prevent further modification to the reloc tree during merge stage, but since there is no reloc_ctl at all, we do not need to bother that.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
20.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel* <5.10.227
linuxlinux_kernel*≥5.11  –  <5.15.168
linuxlinux_kernel*≥5.16  –  <6.1.113
linuxlinux_kernel*≥6.2  –  <6.6.55
linuxlinux_kernel*≥6.7  –  <6.10.14
linuxlinux_kernel*≥6.11  –  <6.11.3

References 10

  • git.kernel.org https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0
  • git.kernel.org https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f
    Patch