Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2024-50217

Disclosure Date: November 09, 2024
CVE-2024-50217 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()

Mounting btrfs from two images (which have the same one fsid and two
different dev_uuids) in certain executing order may trigger an UAF for
variable ‘device->bdev_file’ in __btrfs_free_extra_devids(). And
following are the details:

  1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs
    devices by ioctl(BTRFS_IOC_SCAN_DEV):

         /  btrfs_device_1 → loop0

    fs_device

         \  btrfs_device_2 → loop1

  2. mount /dev/loop0 /mnt
    btrfs_open_devices
    btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0)
    btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)
    btrfs_fill_super
    open_ctree
    fail: btrfs_close_devices // -ENOMEM

    btrfs_close_bdev(btrfs_device_1)
     fput(btrfs_device_1->bdev_file)
  // btrfs_device_1->bdev_file is freed
btrfs_close_bdev(btrfs_device_2)
     fput(btrfs_device_2->bdev_file)

  3. mount /dev/loop1 /mnt
    btrfs_open_devices
    btrfs_get_bdev_and_sb(&bdev_file)
    // EIO, btrfs_device_1->bdev_file is not assigned,
    // which points to a freed memory area
    btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)
    btrfs_fill_super
    open_ctree
    btrfs_free_extra_devids
    if (btrfs_device_1->bdev_file)
    fput(btrfs_device_1->bdev_file) // UAF !

Fix it by setting ‘device->bdev_file’ as ‘NULL’ after closing the
btrfs_device in btrfs_close_one_device().

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux 47a83f8df395
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

Products

Weaknesses

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis