CVE-2024-50273 in Linuxinfo

Summary

by MITRE • 11/19/2024

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reinitialize delayed ref list after deleting it from the list

At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively.

If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise.

So fix this by deleting from the list with list_del_init() instead.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/22/2025

The vulnerability described in CVE-2024-50273 represents a critical memory corruption issue within the Linux kernel's btrfs filesystem implementation that stems from improper list management during delayed reference operations. This flaw exists in the btrfs subsystem's handling of delayed reference structures, specifically when managing the ref_add_list member of delayed reference objects during insertion operations. The vulnerability manifests when the kernel attempts to update an existing reference's action to BTRFS_DROP_DELAYED_REF, triggering a sequence of operations that leaves the list structure in an inconsistent state.

The technical root cause of this vulnerability lies in the improper use of list manipulation functions within the kernel's memory management subsystem. When insert_delayed_ref() encounters a situation where an existing reference needs to be updated to the BTRFS_DROP_DELAYED_REF action, it executes list_del() to remove the reference from its ref head's ref_add_list. However, list_del() does not initialize the list pointers of the removed element, instead setting the next and prev members to LIST_POISON1 and LIST_POISON2 respectively. This leaves the reference object in a state where its add_list member contains invalid pointer values that do not conform to the kernel's list integrity requirements.

The operational impact of this vulnerability becomes apparent when the kernel later calls drop_delayed_ref() against the same reference object during operations such as merging or transaction abort handling. At this point, the drop_delayed_ref() function performs a list_empty() check against the reference's add_list member, which incorrectly returns false due to the poisoned pointer values. This false return causes the function to proceed with another list_del() operation on the already-deleted reference, resulting in invalid memory access patterns that can trigger kernel crashes or more severe memory corruption. The vulnerability is particularly dangerous because it can be triggered through normal filesystem operations and may lead to system instability or denial of service conditions.

The fix implemented addresses this issue by replacing the list_del() call with list_del_init() within the insert_delayed_ref() function. This change ensures that when a reference is removed from the list, its list pointers are properly initialized to valid empty list state values rather than poisoned pointers. This prevents the subsequent drop_delayed_ref() call from encountering invalid list states and eliminates the double-list deletion scenario that leads to memory corruption. The solution aligns with established kernel coding practices for list management and follows the principles outlined in the Linux kernel's list management documentation, where list_del_init() is specifically recommended for scenarios where the list node will be immediately reinserted or where the list state must be maintained in a consistent condition.

This vulnerability demonstrates the critical importance of proper list management in kernel space programming and highlights the potential for seemingly minor coding errors to result in severe system stability issues. The flaw exhibits characteristics consistent with CWE-459, which describes "Incomplete Cleanup" in software systems, where resources are not properly reset after being removed from a data structure. From an attack perspective, this vulnerability could be leveraged by malicious actors to cause system crashes or potentially achieve privilege escalation if combined with other kernel vulnerabilities, making it a significant concern for systems running btrfs filesystems. The vulnerability's exploitation potential is enhanced by the fact that it can be triggered through normal filesystem operations without requiring special privileges, making it particularly concerning for production environments.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00272

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!