CVE-2024-35798

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35798
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35798.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35798
Downstream
Published
2024-05-17T13:23:08.868Z
Modified
2025-11-20T04:14:33.740304Z
Summary
btrfs: fix race in read_extent_buffer_pages()
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race in readextentbuffer_pages()

There are reports from tree-checker that detects corrupted nodes, without any obvious pattern so possibly an overwrite in memory. After some debugging it turns out there's a race when reading an extent buffer the uptodate status can be missed.

To prevent concurrent reads for the same extent buffer, readextentbuffer_pages() performs these checks:

/* (1) */
if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
    return 0;

/* (2) */
if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))
    goto done;

At this point, it seems safe to start the actual read operation. Once that completes, endbbiometa_read() does

/* (3) */
set_extent_buffer_uptodate(eb);

/* (4) */
clear_bit(EXTENT_BUFFER_READING, &eb->bflags);

Normally, this is enough to ensure only one read happens, and all other callers wait for it to finish before returning. Unfortunately, there is a racey interleaving:

Thread A | Thread B | Thread C
---------+----------+---------
   (1)   |          |
         |    (1)   |
   (2)   |          |
   (3)   |          |
   (4)   |          |
         |    (2)   |
         |          |    (1)

When this happens, thread B kicks of an unnecessary read. Worse, thread C will see UPTODATE set and return immediately, while the read from thread B is still in progress. This race could result in tree-checker errors like this as the extent buffer is concurrently modified:

BTRFS critical (device dm-0): corrupted node, root=256
block=8550954455682405139 owner mismatch, have 11858205567642294356
expect [256, 18446744073709551360]

Fix it by testing UPTODATE again after setting the READING bit, and if it's been set, skip the unnecessary read.

[ minor update of changelog ]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d7172f52e9933b6ec9305e7fe6e829e3939dba04
Fixed
0427c8ef8bbb7f304de42ef51d69c960e165e052
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d7172f52e9933b6ec9305e7fe6e829e3939dba04
Fixed
3a25878a3378adce5d846300c9570f15aa7f7a80
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d7172f52e9933b6ec9305e7fe6e829e3939dba04
Fixed
2885d54af2c2e1d910e20d5c8045bae40e02fbc1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d7172f52e9933b6ec9305e7fe6e829e3939dba04
Fixed
ef1e68236b9153c27cb7cf29ead0c532870d4215

Affected versions

v6.*

v6.4
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.10
v6.7.11
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.9
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "244860295154560914661115200884769415830",
                "151550505142823828944155927973984918043",
                "176825488235561253652456416284285015049"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2885d54af2c2e1d910e20d5c8045bae40e02fbc1",
        "target": {
            "file": "fs/btrfs/extent_io.c"
        },
        "id": "CVE-2024-35798-2d6635f9"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 1486.0,
            "function_hash": "259234399510024586390112242357818798583"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2885d54af2c2e1d910e20d5c8045bae40e02fbc1",
        "target": {
            "file": "fs/btrfs/extent_io.c",
            "function": "read_extent_buffer_pages"
        },
        "id": "CVE-2024-35798-362a0e41"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "244860295154560914661115200884769415830",
                "151550505142823828944155927973984918043",
                "176825488235561253652456416284285015049"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef1e68236b9153c27cb7cf29ead0c532870d4215",
        "target": {
            "file": "fs/btrfs/extent_io.c"
        },
        "id": "CVE-2024-35798-69e15242"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 1489.0,
            "function_hash": "117316053210905963425233943332691565237"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef1e68236b9153c27cb7cf29ead0c532870d4215",
        "target": {
            "file": "fs/btrfs/extent_io.c",
            "function": "read_extent_buffer_pages"
        },
        "id": "CVE-2024-35798-f20480a5"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.24
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.12
Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.8.3