CVE-2024-36027 (GCVE-0-2024-36027)

Vulnerability from cvelistv5 – Published: 2024-05-30 15:10 – Updated: 2025-05-04 09:10
VLAI?
Title
btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer Btrfs clears the content of an extent buffer marked as EXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is introduced to prevent a write hole of an extent buffer, which is once allocated, marked dirty, but turns out unnecessary and cleaned up within one transaction operation. Currently, btrfs_clear_buffer_dirty() marks the extent buffer as EXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call happens while the buffer is under IO (with the WRITEBACK flag set, without the DIRTY flag), we can add the ZEROOUT flag and clear the buffer's content just before a bio submission. As a result: 1) it can lead to adding faulty delayed reference item which leads to a FS corrupted (EUCLEAN) error, and 2) it writes out cleared tree node on disk The former issue is previously discussed in [1]. The corruption happens when it runs a delayed reference update. So, on-disk data is safe. [1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/ The latter one can reach on-disk data. But, as that node is already processed by btrfs_clear_buffer_dirty(), that will be invalidated in the next transaction commit anyway. So, the chance of hitting the corruption is relatively small. Anyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to keep the content under IO intact.
Severity ?
No CVSS data available.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: aa6313e6ff2bfbf736a2739047bba355d8241584 , < f4b994fccbb6f294c4b31a6ca0114b09f7245043 (git)
Affected: aa6313e6ff2bfbf736a2739047bba355d8241584 , < 68879386180c0efd5a11e800b0525a01068c9457 (git)
Create a notification for this product.
    Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.8.8 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36027",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:34:25.215751Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:34:35.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:30:12.531Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent_io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4b994fccbb6f294c4b31a6ca0114b09f7245043",
              "status": "affected",
              "version": "aa6313e6ff2bfbf736a2739047bba355d8241584",
              "versionType": "git"
            },
            {
              "lessThan": "68879386180c0efd5a11e800b0525a01068c9457",
              "status": "affected",
              "version": "aa6313e6ff2bfbf736a2739047bba355d8241584",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent_io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer\n\nBtrfs clears the content of an extent buffer marked as\nEXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is\nintroduced to prevent a write hole of an extent buffer, which is once\nallocated, marked dirty, but turns out unnecessary and cleaned up within\none transaction operation.\n\nCurrently, btrfs_clear_buffer_dirty() marks the extent buffer as\nEXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call\nhappens while the buffer is under IO (with the WRITEBACK flag set,\nwithout the DIRTY flag), we can add the ZEROOUT flag and clear the\nbuffer\u0027s content just before a bio submission. As a result:\n\n1) it can lead to adding faulty delayed reference item which leads to a\n   FS corrupted (EUCLEAN) error, and\n\n2) it writes out cleared tree node on disk\n\nThe former issue is previously discussed in [1]. The corruption happens\nwhen it runs a delayed reference update. So, on-disk data is safe.\n\n[1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/\n\nThe latter one can reach on-disk data. But, as that node is already\nprocessed by btrfs_clear_buffer_dirty(), that will be invalidated in the\nnext transaction commit anyway. So, the chance of hitting the corruption\nis relatively small.\n\nAnyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to\nkeep the content under IO intact."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:10:51.723Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043"
        },
        {
          "url": "https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457"
        }
      ],
      "title": "btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36027",
    "datePublished": "2024-05-30T15:10:17.129Z",
    "dateReserved": "2024-05-17T13:50:33.159Z",
    "dateUpdated": "2025-05-04T09:10:51.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T03:30:12.531Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-36027\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-17T17:34:25.215751Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-17T17:34:26.272Z\"}}], \"cna\": {\"title\": \"btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"aa6313e6ff2bfbf736a2739047bba355d8241584\", \"lessThan\": \"f4b994fccbb6f294c4b31a6ca0114b09f7245043\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"aa6313e6ff2bfbf736a2739047bba355d8241584\", \"lessThan\": \"68879386180c0efd5a11e800b0525a01068c9457\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/btrfs/extent_io.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.8.8\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.8.*\"}, {\"status\": \"unaffected\", \"version\": \"6.9\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/btrfs/extent_io.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/f4b994fccbb6f294c4b31a6ca0114b09f7245043\"}, {\"url\": \"https://git.kernel.org/stable/c/68879386180c0efd5a11e800b0525a01068c9457\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer\\n\\nBtrfs clears the content of an extent buffer marked as\\nEXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is\\nintroduced to prevent a write hole of an extent buffer, which is once\\nallocated, marked dirty, but turns out unnecessary and cleaned up within\\none transaction operation.\\n\\nCurrently, btrfs_clear_buffer_dirty() marks the extent buffer as\\nEXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call\\nhappens while the buffer is under IO (with the WRITEBACK flag set,\\nwithout the DIRTY flag), we can add the ZEROOUT flag and clear the\\nbuffer\u0027s content just before a bio submission. As a result:\\n\\n1) it can lead to adding faulty delayed reference item which leads to a\\n   FS corrupted (EUCLEAN) error, and\\n\\n2) it writes out cleared tree node on disk\\n\\nThe former issue is previously discussed in [1]. The corruption happens\\nwhen it runs a delayed reference update. So, on-disk data is safe.\\n\\n[1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/\\n\\nThe latter one can reach on-disk data. But, as that node is already\\nprocessed by btrfs_clear_buffer_dirty(), that will be invalidated in the\\nnext transaction commit anyway. So, the chance of hitting the corruption\\nis relatively small.\\n\\nAnyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to\\nkeep the content under IO intact.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8.8\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.9\", \"versionStartIncluding\": \"6.8\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T09:10:51.723Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-36027\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T09:10:51.723Z\", \"dateReserved\": \"2024-05-17T13:50:33.159Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-30T15:10:17.129Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…