CVE-2024-36027 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer
Btrfs clears the content of an extent buffer marked as EXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is introduced to prevent a write hole of an extent buffer, which is once allocated, marked dirty, but turns out unnecessary and cleaned up within one transaction operation.
Currently, btrfs_clear_buffer_dirty() marks the extent buffer as EXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call happens while the buffer is under IO (with the WRITEBACK flag set, without the DIRTY flag), we can add the ZEROOUT flag and clear the buffer's content just before a bio submission. As a result:
1) it can lead to adding faulty delayed reference item which leads to a FS corrupted (EUCLEAN) error, and
2) it writes out cleared tree node on disk
The former issue is previously discussed in [1]. The corruption happens
when it runs a delayed reference update. So, on-disk data is safe.
[1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/
The latter one can reach on-disk data. But, as that node is already processed by btrfs_clear_buffer_dirty(), that will be invalidated in the next transaction commit anyway. So, the chance of hitting the corruption is relatively small.
Anyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to keep the content under IO intact.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/28/2025
The vulnerability CVE-2024-36027 affects the Linux kernel's btrfs file system implementation, specifically within the zoned storage handling mechanisms. This issue stems from improper management of extent buffer states during I/O operations, creating potential data corruption scenarios that could compromise file system integrity. The problem manifests when the btrfs subsystem attempts to clear buffer dirty flags while the extent buffer is simultaneously under I/O operations, leading to inconsistent state management and erroneous data handling.
The technical flaw occurs in the interaction between the btrfs_clear_buffer_dirty() function and the EXTENT_BUFFER_ZONED_ZEROOUT flag management. When an extent buffer is marked with EXTENT_BUFFER_ZONED_ZEROOUT, the system clears the buffer content before bio submission to prevent write holes in zoned storage environments. However, the current implementation incorrectly applies this zero-out mechanism to extent buffers that are under I/O operations but not marked as dirty, creating a race condition between buffer state management and I/O processing. This improper flagging can result in the addition of faulty delayed reference items that ultimately lead to file system corruption with EUCLEAN error codes.
The operational impact of this vulnerability extends beyond simple data integrity concerns to potentially compromise the stability of systems relying on btrfs with zoned storage devices. The first category of issues involves corrupted delayed reference updates that can cause file system corruption, while the second category presents risks of writing out cleared tree nodes to disk. Although the latter scenario typically gets invalidated in subsequent transaction commits, the window of vulnerability allows for potential data inconsistencies. This vulnerability aligns with CWE-119 Improper Access to Memory and CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization, as it involves improper memory access patterns and race conditions in shared resource management. The issue specifically relates to ATT&CK technique T1484.001 Privilege Escalation through Valid Accounts and T1565 Data Manipulation, as it could potentially allow for data corruption that affects system stability and data integrity.
The recommended mitigation strategy involves modifying the btrfs implementation to skip flagging ZEROOUT operations on non-dirty extent buffers that are currently under I/O operations. This change ensures that buffer content remains intact during active I/O processing, preventing the race condition that leads to corrupted delayed references and erroneous data writes. System administrators should update to kernel versions containing the fix, which properly distinguishes between dirty and non-dirty buffers during I/O operations. The fix specifically addresses the condition where WRITEBACK flag is set without the DIRTY flag, ensuring that ZEROOUT operations only occur on buffers that are genuinely marked as dirty and not currently being processed by I/O operations. This approach maintains data consistency while preserving the intended write hole prevention mechanism for properly managed extent buffers.