{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T15:22:20.258","vulnerabilities":[{"cve":{"id":"CVE-2024-26616","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-03-11T18:15:19.400","lastModified":"2024-12-12T15:31:18.293","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: avoid use-after-free when chunk length is not 64K aligned\n\n[BUG]\nThere is a bug report that, on a ext4-converted btrfs, scrub leads to\nvarious problems, including:\n\n- \"unable to find chunk map\" errors\n  BTRFS info (device vdb): scrub: started on devid 1\n  BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 4096\n  BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 45056\n\n  This would lead to unrepariable errors.\n\n- Use-after-free KASAN reports:\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in __blk_rq_map_sg+0x18f/0x7c0\n  Read of size 8 at addr ffff8881013c9040 by task btrfs/909\n  CPU: 0 PID: 909 Comm: btrfs Not tainted 6.7.0-x64v3-dbg #11 c50636e9419a8354555555245df535e380563b2b\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-2 12/24/2023\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x43/0x60\n   print_report+0xcf/0x640\n   kasan_report+0xa6/0xd0\n   __blk_rq_map_sg+0x18f/0x7c0\n   virtblk_prep_rq.isra.0+0x215/0x6a0 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]\n   virtio_queue_rqs+0xc4/0x310 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]\n   blk_mq_flush_plug_list.part.0+0x780/0x860\n   __blk_flush_plug+0x1ba/0x220\n   blk_finish_plug+0x3b/0x60\n   submit_initial_group_read+0x10a/0x290 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n   flush_scrub_stripes+0x38e/0x430 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n   scrub_stripe+0x82a/0xae0 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n   scrub_chunk+0x178/0x200 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n   scrub_enumerate_chunks+0x4bc/0xa30 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n   btrfs_scrub_dev+0x398/0x810 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n   btrfs_ioctl+0x4b9/0x3020 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n   __x64_sys_ioctl+0xbd/0x100\n   do_syscall_64+0x5d/0xe0\n   entry_SYSCALL_64_after_hwframe+0x63/0x6b\n  RIP: 0033:0x7f47e5e0952b\n\n- Crash, mostly due to above use-after-free\n\n[CAUSE]\nThe converted fs has the following data chunk layout:\n\n    item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM 2214658048) itemoff 16025 itemsize 80\n        length 86016 owner 2 stripe_len 65536 type DATA|single\n\nFor above logical bytenr 2214744064, it's at the chunk end\n(2214658048 + 86016 = 2214744064).\n\nThis means btrfs_submit_bio() would split the bio, and trigger endio\nfunction for both of the two halves.\n\nHowever scrub_submit_initial_read() would only expect the endio function\nto be called once, not any more.\nThis means the first endio function would already free the bbio::bio,\nleaving the bvec freed, thus the 2nd endio call would lead to\nuse-after-free.\n\n[FIX]\n- Make sure scrub_read_endio() only updates bits in its range\n  Since we may read less than 64K at the end of the chunk, we should not\n  touch the bits beyond chunk boundary.\n\n- Make sure scrub_submit_initial_read() only to read the chunk range\n  This is done by calculating the real number of sectors we need to\n  read, and add sector-by-sector to the bio.\n\nThankfully the scrub read repair path won't need extra fixes:\n\n- scrub_stripe_submit_repair_read()\n  With above fixes, we won't update error bit for range beyond chunk,\n  thus scrub_stripe_submit_repair_read() should never submit any read\n  beyond the chunk."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: limpieza: evita el use-after-free cuando la longitud del fragmento no está alineada con 64 K [ERROR] Hay un informe de error que indica que, en un btrfs convertido a ext4, la limpieza conduce a varios problemas, que incluyen: - Errores \"no se puede encontrar el mapa de fragmentos\" Información BTRFS (dispositivo vdb): limpieza: iniciado en el devid 1 BTRFS crítico (dispositivo vdb): no se puede encontrar el mapa de fragmentos para la longitud lógica 2214744064 4096 BTRFS crítico (dispositivo vdb): No se puede encontrar el mapa de fragmentos para la longitud lógica 2214744064 45056. Esto provocaría errores irreparables. - Informes KASAN de uso gratuito: =========================================== ========================= ERROR: KASAN: slab-use-after-free en __blk_rq_map_sg+0x18f/0x7c0 Lectura de tamaño 8 en la dirección ffff8881013c9040 por tarea btrfs/909 CPU: 0 PID: 909 Comm: btrfs Not tainted 6.7.0-x64v3-dbg #11 c50636e9419a8354555555245df535e380563b2b Nombre de hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 2023.11-2 24/12/2023 Seguimiento de llamadas :  dump_stack_lvl+0x43/0x60 print_report+0xcf/0x640 kasan_report+0xa6/0xd0 __blk_rq_map_sg+0x18f/0x7c0 virtblk_prep_rq.isra.0+0x215/0x6a0 [virtio_blk 19a65eeee9ae6fcf02ed fad39bb9ddee07dcdaff] virtio_queue_rqs+0xc4/0x310 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff] blk_mq_flush_plug_list.part. 0+0x780/0x860 __blk_flush_plug+0x1ba/0x220 blk_finish_plug+0x3b/0x60 submit_initial_group_read+0x10a/0x290 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] Flush_scrub_stripes+0x38 e/0x430 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] Scrub_stripe+0x82a/0xae0 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] Scrub_chunk+0x178/0x200 [btrfs e579 87a360cama82fe8756dcd3e0de5406ccfe965 ] Scrub_enumerate_chunks+0x4bc/0xa30 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] btrfs_scrub_dev+0x398/0x810 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] btr fs_ioctl+0x4b9/0x3020 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965] __x64_sys_ioctl+0xbd/0x100 do_syscall_64+0x5d/0xe0 Entry_SYSCALL_64_after_hwframe+0x63/0x6b QEPD: 0033:0x7f47e5e0952b - Fallo , principalmente debido al use-after-free anterior [CAUSA] El fs convertido tiene el siguiente diseño de fragmento de datos: clave del elemento 2 (FIRST_CHUNK_TREE CHUNK_ITEM 2214658048) itemoff 16025 tamaño del elemento 80 longitud 86016 propietario 2 stripe_len 65536 tipo DATOS|single Para el bytenr lógico anterior 2214744064 , está al final del fragmento (2214658048 + 86016 = 2214744064). Esto significa que btrfs_submit_bio() dividiría la biografía y activaría la función endio para ambas mitades. Sin embargo, Scrub_submit_initial_read() solo esperaría que la función endio se llamara una vez, ya no. Esto significa que la primera función endio ya liberaría bbio::bio, dejando libre el bvec, por lo que la segunda llamada a endio conduciría a use-after-free. [FIX] - Asegúrese de que Scrub_read_endio() solo actualice los bits en su rango. Dado que podemos leer menos de 64 K al final del fragmento, no debemos tocar los bits más allá del límite del fragmento. - Asegúrese de que Scrub_submit_initial_read() solo lea el rango de fragmentos. Esto se hace calculando el número real de sectores que necesitamos leer y agregando sector por sector a la biografía. Afortunadamente, la ruta de reparación de lectura de limpieza no necesitará correcciones adicionales: - Scrub_stripe_submit_repair_read() Con las correcciones anteriores, no actualizaremos el bit de error para el rango más allá del fragmento, por lo tanto, Scrub_stripe_submit_repair_read() nunca debería enviar ninguna lectura más allá del fragmento."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.15","matchCriteriaId":"D6633E78-36B1-447E-BE57-C820A3E58E33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.3","matchCriteriaId":"58FD5308-148A-40D3-B36A-0CA6B434A8BF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*","matchCriteriaId":"B9F4EA73-0894-400F-A490-3A397AB7A517"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/34de0f04684ec00c093a0455648be055f0e8e24f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/642b9c520ef2f104277ad1f902f8526edbe087fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f546c4282673497a06ecb6190b50ae7f6c85b02f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/34de0f04684ec00c093a0455648be055f0e8e24f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/642b9c520ef2f104277ad1f902f8526edbe087fb","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f546c4282673497a06ecb6190b50ae7f6c85b02f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}