CVE-2024-26644 in Linux
Summary
by MITRE • 03/26/2024
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't abort filesystem when attempting to snapshot deleted subvolume
If the source file descriptor to the snapshot ioctl refers to a deleted subvolume, we get the following abort:
BTRFS: Transaction aborted (error -2) WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]
Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]
RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998 R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 Call Trace: ? create_pending_snapshot+0x1040/0x1190 [btrfs]
? __warn+0x81/0x130 ? create_pending_snapshot+0x1040/0x1190 [btrfs]
? report_bug+0x171/0x1a0 ? handle_bug+0x3a/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? create_pending_snapshot+0x1040/0x1190 [btrfs]
? create_pending_snapshot+0x1040/0x1190 [btrfs]
create_pending_snapshots+0x92/0xc0 [btrfs]
btrfs_commit_transaction+0x66b/0xf40 [btrfs]
btrfs_mksubvol+0x301/0x4d0 [btrfs]
btrfs_mksnapshot+0x80/0xb0 [btrfs]
__btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]
btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]
btrfs_ioctl+0x8a6/0x2650 [btrfs]
? kmem_cache_free+0x22/0x340 ? do_sys_openat2+0x97/0xe0 __x64_sys_ioctl+0x97/0xd0 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe20abe83af RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 ---[ end trace 0000000000000000 ]---
BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry BTRFS info (device vdc: state EA): forced readonly BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction. BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry
This happens because create_pending_snapshot() initializes the new root item as a copy of the source root item. This includes the refs field, which is 0 for a deleted subvolume. The call to btrfs_insert_root() therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then finds the root and returns -ENOENT if refs == 0, which causes create_pending_snapshot() to abort.
Fix it by checking the source root's refs before attempting the snapshot, but after locking subvol_sem to avoid racing with deletion.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/17/2025
The vulnerability described in CVE-2024-26644 affects the btrfs file system implementation within the Linux kernel, specifically during snapshot operations involving deleted subvolumes. This issue manifests when a user-space application attempts to create a snapshot of a subvolume that has already been marked for deletion but not yet fully removed from the file system structure. The core problem lies in how the kernel handles reference counting and transaction management during snapshot creation, leading to an unexpected system abort that can result in filesystem corruption or forced read-only mode.
The technical flaw occurs in the `create_pending_snapshot` function within the btrfs kernel module, where the system attempts to initialize a new root item by copying the source root item without properly validating the state of the source subvolume. When a subvolume is deleted, its reference count (refs field) is set to zero, but the snapshot operation continues to proceed with this invalid reference count. This leads to a scenario where `btrfs_insert_root()` attempts to insert a root entry with refs == 0, which subsequently triggers `btrfs_get_new_fs_root()` to return -ENOENT, causing the entire transaction to abort. The abort mechanism is implemented through the kernel's transaction management system, which detects the invalid state and terminates the operation to prevent further corruption.
This vulnerability directly impacts system stability and data integrity, as it can cause the btrfs filesystem to enter a forced read-only state, effectively rendering the file system unusable for write operations until manual intervention occurs. The operational impact is significant for systems relying on btrfs for storage, particularly those using snapshot functionality for backup or version control purposes. The issue is particularly concerning because it can occur during routine snapshot operations, making it difficult to predict or prevent. The call trace shows the execution path leading from user-space ioctl calls through the btrfs kernel module layers, ultimately reaching the transaction abort mechanism that terminates the filesystem operation.
The fix implemented addresses the root cause by introducing a proper validation check before attempting the snapshot operation. Specifically, the solution involves verifying the source root's reference count after acquiring the necessary locks but before proceeding with the snapshot creation. This approach prevents race conditions that could occur if the check were performed at an earlier stage, while ensuring that operations on truly deleted subvolumes are properly rejected rather than causing system-wide aborts. This fix aligns with security best practices by preventing invalid operations that could lead to system instability or data corruption, and it follows the principle of fail-fast design where invalid conditions are detected and handled gracefully rather than allowing them to propagate through the system. The resolution maintains the integrity of the btrfs filesystem while preserving the intended functionality of snapshot operations for valid subvolumes.
From a cybersecurity perspective, this vulnerability represents a denial-of-service risk that could be exploited in environments where automated snapshot operations are common. The issue demonstrates the importance of proper reference counting and state validation in kernel modules, particularly those managing complex data structures like filesystem metadata. The fix addresses the vulnerability by implementing proper synchronization and validation checks that prevent invalid operations from causing system-wide failures, thereby maintaining the availability and stability of systems using btrfs filesystems. This aligns with ATT&CK technique T1499.001 (Toggle File System State) and CWE-682 (Incorrect Calculation) as it involves improper handling of filesystem state and reference counts leading to system instability.