AZL-53096
See a problem?- Import Source
- https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-53096.json
- JSON Data
- https://api.osv.dev/v1/vulns/AZL-53096
- Upstream
- Published
- 2024-11-09T11:15:07Z
- Modified
- 2026-04-21T04:33:36.054480Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- CVE-2024-50217 affecting package kernel 6.6.126.1-1
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free of block device file in _btrfsfreeextradevids()
Mounting btrfs from two images (which have the same one fsid and two different devuuids) in certain executing order may trigger an UAF for variable 'device->bdevfile' in _btrfsfreeextradevids(). And following are the details:
Attach image1 to loop0, attach image2 to loop1, and scan btrfs devices by ioctl(BTRFSIOCSCAN_DEV):
/ btrfs_device_1 → loop0fsdevice \ btrfsdevice_2 → loop1
mount /dev/loop0 /mnt btrfsopendevices btrfsdevice1->bdevfile = btrfsgetbdevandsb(loop0) btrfsdevice2->bdevfile = btrfsgetbdevandsb(loop1) btrfsfillsuper openctree fail: btrfsclosedevices // -ENOMEM btrfsclosebdev(btrfsdevice1) fput(btrfsdevice1->bdevfile) // btrfsdevice1->bdevfile is freed btrfsclosebdev(btrfsdevice2) fput(btrfsdevice2->bdevfile)
mount /dev/loop1 /mnt btrfsopendevices btrfsgetbdevandsb(&bdevfile) // EIO, btrfsdevice1->bdevfile is not assigned, // which points to a freed memory area btrfsdevice2->bdevfile = btrfsgetbdevandsb(loop1) btrfsfillsuper openctree btrfsfreeextradevids if (btrfsdevice1->bdevfile) fput(btrfsdevice1->bdev_file) // UAF !
Fix it by setting 'device->bdevfile' as 'NULL' after closing the btrfsdevice in btrfscloseone_device().
- References