{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T03:08:13.413","vulnerabilities":[{"cve":{"id":"CVE-2024-41067","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-07-29T15:15:14.560","lastModified":"2025-10-09T18:06:27.280","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: Scrub: maneja correctamente el error de búsqueda RST [ERROR] Al ejecutar btrfs/060 con la función RST forzada, bloquearía el siguiente ASSERT() dentro de Scrub_read_endio(): ASSERT(sector_nr &lt; raya-&gt;nr_sectors); Antes de eso, tendríamos un volcado de árbol de btrfs_get_raid_extent_offset(), ya que no pudimos encontrar la entrada RST para el rango. [CAUSA] Dentro de Scrub_submit_extent_sector_read() cada vez que asignamos un nuevo bbio llamamos inmediatamente a btrfs_map_block() para asegurarnos de que hubiera algún rango RST que cubriera el objetivo de limpieza. Pero si btrfs_map_block()fallo, inmediatamente llamamos a endio para el bbio, mientras el bbio está recién asignado, está completamente vacío. Luego, dentro de Scrub_read_endio(), revisamos los bvecs para encontrar el número del sector (ya que bi_sector ya no es confiable si la biografía se envía a capas inferiores). Y dado que la biografía está vacía, dicha iteración de bvecs no encontraría ningún sector que coincida con el sector y devolvería sector_nr == stripe-&gt;nr_sectors, lo que activaría ASSERT(). [FIX] En lugar de llamar a btrfs_map_block() después de asignar un nuevo bbio, llame primero a btrfs_map_block(). Dado que nuestro único objetivo al llamar a btrfs_map_block() es solo actualizar stripe_len, realmente no hay necesidad de hacerlo después de btrfs_alloc_bio(). Este nuevo tiempo evitaría por completo el problema de manejar bbio vacío y, de hecho, soluciona una posible ventana de ejecuciónpara el código anterior, donde si el hilo de envío es el único propietario de pendiente_io, la limpieza nunca terminaría (ya que no lo hicimos). disminuir el contador pendiente_io). Aunque aún es necesario abordar la causa raíz del error de búsqueda de RST."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9.11","matchCriteriaId":"E5165B93-C9B7-47E9-8137-35D791A1B1D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*","matchCriteriaId":"2EBB4392-5FA6-4DA9-9772-8F9C750109FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*","matchCriteriaId":"331C2F14-12C7-45D5-893D-8C52EE38EA10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*","matchCriteriaId":"3173713D-909A-4DD3-9DD4-1E171EB057EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*","matchCriteriaId":"79F18AFA-40F7-43F0-BA30-7BDB65F918B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*","matchCriteriaId":"BD973AA4-A789-49BD-8D57-B2846935D3C7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}