CVE-2024-56759

{"id": "CVE-2024-56759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-01-06T17:15:40.900", "references": [{"url": "https://git.kernel.org/stable/c/44f52bbe96dfdbe4aca3818a2534520082a07040", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/526ff5b27f090fb15040471f892cd2c9899ce314", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/66376f1a73cba57fd0af2631d7888605b738e499", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9a466b8693b9add05de99af00c7bdff8259ecf19", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ba5120a2fb5f23b4d39d302e181aa5d4e28a90d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c3a403d8ce36f5a809a492581de5ad17843e4701", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when COWing tree bock and tracing is enabled\n\nWhen a COWing a tree block, at btrfs_cow_block(), and we have the\ntracepoint trace_btrfs_cow_block() enabled and preemption is also enabled\n(CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent\nbuffer while inside the tracepoint code. This is because in some paths\nthat call btrfs_cow_block(), such as btrfs_search_slot(), we are holding\nthe last reference on the extent buffer @buf so btrfs_force_cow_block()\ndrops the last reference on the @buf extent buffer when it calls\nfree_extent_buffer_stale(buf), which schedules the release of the extent\nbuffer with RCU. This means that if we are on a kernel with preemption,\nthe current task may be preempted before calling trace_btrfs_cow_block()\nand the extent buffer already released by the time trace_btrfs_cow_block()\nis called, resulting in a use-after-free.\n\nFix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to\nbtrfs_force_cow_block() before the COWed extent buffer is freed.\nThis also has a side effect of invoking the tracepoint in the tree defrag\ncode, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is\ncalled there, but this is fine and it was actually missing there."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: se corrige el use-after-free cuando se aplica COW a un bloque de \u00e1rbol y se habilita el seguimiento Cuando se aplica COW a un bloque de \u00e1rbol, en btrfs_cow_block(), y tenemos habilitado el punto de seguimiento trace_btrfs_cow_block() y tambi\u00e9n est\u00e1 habilitada la preempci\u00f3n (CONFIG_PREEMPT=y), podemos activar un use-after-free en el b\u00fafer de extensi\u00f3n aplicado COW mientras estamos dentro del c\u00f3digo del punto de seguimiento. Esto se debe a que en algunas rutas que llaman a btrfs_cow_block(), como btrfs_search_slot(), estamos manteniendo la \u00faltima referencia en el b\u00fafer de extensi\u00f3n @buf, por lo que btrfs_force_cow_block() elimina la \u00faltima referencia en el b\u00fafer de extensi\u00f3n @buf cuando llama a free_extent_buffer_stale(buf), que programa la liberaci\u00f3n del b\u00fafer de extensi\u00f3n con RCU. Esto significa que si estamos en un n\u00facleo con preempci\u00f3n, la tarea actual puede ser preemptada antes de llamar a trace_btrfs_cow_block() y el buffer de extensi\u00f3n ya liberado para el momento en que se llama a trace_btrfs_cow_block(), lo que da como resultado un use-after-free. Arregle esto moviendo trace_btrfs_cow_block() de btrfs_cow_block() a btrfs_force_cow_block() antes de que se libere el buffer de extensi\u00f3n COWed. Esto tambi\u00e9n tiene un efecto secundario de invocar el punto de seguimiento en el c\u00f3digo de desfragmentaci\u00f3n del \u00e1rbol, en defrag.c:btrfs_realloc_node(), ya que btrfs_force_cow_block() se llama all\u00ed, pero esto est\u00e1 bien y en realidad faltaba all\u00ed."}], "lastModified": "2025-02-11T16:15:47.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37A8903F-DC48-45AD-98DC-188AFD7C5844", "versionEndExcluding": "6.12.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}