CVE-2024-35798 in Linuxinfo

Summary

by MITRE • 05/17/2024

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race in read_extent_buffer_pages()

There are reports from tree-checker that detects corrupted nodes, without any obvious pattern so possibly an overwrite in memory. After some debugging it turns out there's a race when reading an extent buffer the uptodate status can be missed.

To prevent concurrent reads for the same extent buffer, read_extent_buffer_pages() performs these checks:

/* (1) */ if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags)) return 0;

/* (2) */ if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags)) goto done;

At this point, it seems safe to start the actual read operation. Once that completes, end_bbio_meta_read() does

/* (3) */ set_extent_buffer_uptodate(eb);

/* (4) */ clear_bit(EXTENT_BUFFER_READING, &eb->bflags);

Normally, this is enough to ensure only one read happens, and all other callers wait for it to finish before returning. Unfortunately, there is a racey interleaving:

Thread A | Thread B | Thread C ---------+----------+--------- (1) | | | (1) | (2) | | (3) | | (4) | | | (2) | | | (1)

When this happens, thread B kicks of an unnecessary read. Worse, thread C will see UPTODATE set and return immediately, while the read from thread B is still in progress. This race could result in tree-checker errors like this as the extent buffer is concurrently modified:

BTRFS critical (device dm-0): corrupted node, root=256 block=8550954455682405139 owner mismatch, have 11858205567642294356 expect [256, 18446744073709551360]

Fix it by testing UPTODATE again after setting the READING bit, and if it's been set, skip the unnecessary read.

[ minor update of changelog ]

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/19/2025

The vulnerability described in CVE-2024-35798 affects the Linux kernel's btrfs file system implementation, specifically within the read_extent_buffer_pages() function. This issue represents a race condition that can lead to memory corruption and tree-checker errors during concurrent read operations on extent buffers. The flaw manifests as intermittent corrupted node errors where the tree-checker detects inconsistencies in data structures without any clear pattern, suggesting memory overwrites occurring during concurrent access. The vulnerability stems from insufficient synchronization mechanisms during the read process, creating a window where multiple threads can interfere with each other's operations on the same extent buffer.

The technical flaw occurs in the sequence of checks performed by read_extent_buffer_pages() which attempts to prevent concurrent reads through a two-step process involving the EXTENT_BUFFER_UPTODATE and EXTENT_BUFFER_READING flags. The first check at position (1) verifies if the extent buffer is already marked as up-to-date, returning immediately if so. The second check at position (2) attempts to set the reading flag using test_and_set_bit, which should prevent other threads from proceeding. However, this mechanism fails due to a race condition where thread B can successfully set the reading flag and begin reading while thread C, checking at position (1), sees the UPTODATE flag already set by thread A and incorrectly assumes the data is valid. The race occurs between the initial UPTODATE check and the subsequent reading operation, allowing threads to bypass proper synchronization.

The operational impact of this vulnerability is significant for systems relying on btrfs file systems, particularly those experiencing concurrent read operations on the same data structures. The race condition can cause tree-checker errors that manifest as corrupted node messages with owner mismatch errors, indicating that data structures are being modified concurrently in ways that violate expected consistency models. These errors can lead to data corruption, file system instability, and potential data loss scenarios where the integrity of the btrfs file system is compromised. The intermittent nature of the issue makes it particularly challenging to detect and debug, as it may only occur under specific concurrent access patterns or system load conditions.

The fix implemented addresses the race condition by adding an additional UPTODATE check after setting the READING bit, ensuring that if another thread has already completed the read operation and marked the buffer as up-to-date, the current thread skips the unnecessary read operation. This approach aligns with standard concurrency control patterns and follows the principle of checking conditions after acquiring locks or flags to prevent race conditions. The solution prevents the scenario where thread C incorrectly assumes data is valid while thread B's read operation is still in progress, maintaining proper synchronization between concurrent operations. This fix directly addresses the timing issues identified in the vulnerability and resolves the root cause of the memory corruption patterns observed in the tree-checker errors, bringing the btrfs implementation in line with expected concurrent access behaviors and maintaining data integrity under multi-threaded workloads.

This vulnerability maps to CWE-362, which describes a race condition in concurrent execution environments, and relates to ATT&CK technique T1490, specifically data destruction through corruption of file systems. The fix demonstrates proper concurrent programming practices and follows security best practices for protecting against timing-based attacks that could be exploited to manipulate file system data structures. The resolution ensures that the btrfs implementation maintains proper consistency guarantees during concurrent access patterns, preventing unauthorized modifications to critical file system metadata structures that could be leveraged for privilege escalation or data integrity compromise.

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!