CVE-2024-50217 in Linuxinfo

Summary

by MITRE • 11/09/2024

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()

Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details:

1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV):

/ btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file)

3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF !

Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device().

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2025

The vulnerability described in CVE-2024-50217 affects the Linux kernel's btrfs filesystem implementation and represents a use-after-free condition that can lead to arbitrary code execution or system instability. This issue occurs during the mounting process of btrfs filesystems when multiple image files with identical filesystem identifiers but different device identifiers are involved. The flaw manifests when the kernel attempts to manage device references in a specific sequence that leaves dangling pointers in memory. The vulnerability is particularly concerning because it can be triggered through legitimate filesystem operations and could potentially be exploited by malicious actors to gain unauthorized access or cause denial of service conditions.

The technical root cause of this vulnerability lies in improper handling of device file references within the btrfs kernel subsystem. When two btrfs images with the same filesystem identifier (fsid) but different device UUIDs are mounted in a specific order, the kernel's device management functions fail to properly invalidate references to freed memory locations. Specifically, during the btrfs_close_devices function call, the device file reference stored in device->bdev_file is freed through fput(), but subsequent operations may attempt to access this same memory location without proper validation. The flaw occurs in the __btrfs_free_extra_devids() function where the code checks if device->bdev_file is valid but the memory has already been freed, creating a use-after-free scenario that can be exploited for privilege escalation or system compromise. This condition aligns with CWE-416, which specifically addresses use-after-free vulnerabilities in software systems.

The operational impact of this vulnerability extends beyond simple system crashes or hangs, as it can enable attackers to execute arbitrary code with kernel privileges. The sequence of operations that triggers this vulnerability involves mounting btrfs filesystems from loop devices in a specific order that causes the kernel to maintain references to freed memory structures. When the second mount operation fails and the cleanup process occurs, the kernel attempts to access a memory location that has already been deallocated, potentially allowing for memory corruption or code execution. This vulnerability affects systems running Linux kernels with btrfs filesystem support and can be particularly dangerous in environments where untrusted users have access to filesystem mounting capabilities. The attack vector is relatively straightforward and can be triggered through normal filesystem operations, making it a significant security concern for system administrators managing btrfs-based storage systems.

The fix for this vulnerability involves implementing proper nullification of device file references after device closure operations. Specifically, the btrfs_close_one_device() function should set device->bdev_file to NULL immediately after closing the device, preventing subsequent access to freed memory locations. This approach follows established security practices for preventing use-after-free conditions by ensuring that all references to freed memory are invalidated before the memory is released back to the system. The mitigation strategy aligns with ATT&CK technique T1068, which covers privilege escalation through local exploits, as this vulnerability could enable attackers to escalate privileges from user-level to kernel-level execution. System administrators should prioritize applying the kernel patches that address this vulnerability and monitor for any unusual system behavior that might indicate exploitation attempts. Regular kernel updates and proper filesystem management practices are essential for maintaining system security against such memory corruption vulnerabilities that could be leveraged for more sophisticated attacks.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00260

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!