{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T14:43:34.621","vulnerabilities":[{"cve":{"id":"CVE-2024-49868","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-10-21T18:15:06.623","lastModified":"2025-11-03T23:16:27.077","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a NULL pointer dereference when failed to start a new trasacntion\n\n[BUG]\nSyzbot reported a NULL pointer dereference with the following crash:\n\n FAULT_INJECTION: forcing a failure.\n start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676\n prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642\n relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678\n ...\n BTRFS info (device loop0): balance: ended with status: -12\n Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]\n RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926\n Call Trace:\n \n commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496\n btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430\n del_balance_item fs/btrfs/volumes.c:3678 [inline]\n reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742\n btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574\n btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nThe allocation failure happens at the start_transaction() inside\nprepare_to_relocate(), and during the error handling we call\nunset_reloc_control(), which makes fs_info->balance_ctl to be NULL.\n\nThen we continue the error path cleanup in btrfs_balance() by calling\nreset_balance_state() which will call del_balance_item() to fully delete\nthe balance item in the root tree.\n\nHowever during the small window between set_reloc_contrl() and\nunset_reloc_control(), we can have a subvolume tree update and created a\nreloc_root for that subvolume.\n\nThen we go into the final btrfs_commit_transaction() of\ndel_balance_item(), and into btrfs_update_reloc_root() inside\ncommit_fs_roots().\n\nThat function checks if fs_info->reloc_ctl is in the merge_reloc_tree\nstage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer\ndereference.\n\n[FIX]\nJust add extra check on fs_info->reloc_ctl inside\nbtrfs_update_reloc_root(), before checking\nfs_info->reloc_ctl->merge_reloc_tree.\n\nThat DEAD_RELOC_TREE handling is to prevent further modification to the\nreloc tree during merge stage, but since there is no reloc_ctl at all,\nwe do not need to bother that."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige una desreferencia de puntero NULL cuando no se puede iniciar una nueva transacción [ERROR] Syzbot informó una desreferencia de puntero NULL con el siguiente bloqueo: FAULT_INJECTION: forzando un fallo. start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 ... Información de BTRFS (dispositivo loop0): balance: finalizado con estado: -12 Vaya: error de protección general, probablemente para la dirección no canónica 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref en el rango [0x000000000000660-0x0000000000000667] RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926 Seguimiento de llamadas: commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496 btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430 del_balance_item fs/btrfs/volumes.c:3678 [en línea] reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742 btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSA] El fallo de asignación ocurre en start_transaction() dentro de prepare_to_relocate(), y durante el manejo de errores llamamos a unset_reloc_control(), lo que hace que fs_info->balance_ctl sea NULL. Luego continuamos con la limpieza de la ruta de error en btrfs_balance() llamando a reset_balance_state() que llamará a del_balance_item() para eliminar por completo el elemento de balance en el árbol raíz. Sin embargo, durante la pequeña ventana entre set_reloc_contrl() y unset_reloc_control(), podemos tener una actualización del árbol de subvolumen y crear un reloc_root para ese subvolumen. Luego pasamos a la btrfs_commit_transaction() final de del_balance_item() y a btrfs_update_reloc_root() dentro de commit_fs_roots(). Esa función verifica si fs_info->reloc_ctl está en la etapa merge_reloc_tree, pero dado que fs_info->reloc_ctl es NULL, da como resultado una desreferencia de puntero NULL. [SOLUCIÓN] Solo hay que añadir una comprobación adicional en fs_info->reloc_ctl dentro de btrfs_update_reloc_root(), antes de comprobar fs_info->reloc_ctl->merge_reloc_tree. El manejo de DEAD_RELOC_TREE sirve para evitar modificaciones adicionales del árbol de reubicación durante la etapa de fusión, pero como no hay ningún reloc_ctl, no tenemos que preocuparnos por eso."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.227","matchCriteriaId":"EB525A44-6338-4857-AD90-EA2860D1AD1F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.168","matchCriteriaId":"4D51C05D-455B-4D8D-89E7-A58E140B864C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.113","matchCriteriaId":"D01BD22E-ACD1-4618-9D01-6116570BE1EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.55","matchCriteriaId":"E90B9576-56C4-47BC-AAB0-C5B2D438F5D0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.14","matchCriteriaId":"4C16BCE0-FFA0-4599-BE0A-1FD65101C021"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.11.3","matchCriteriaId":"54D9C704-D679-41A7-9C40-10A6B1E7FFE9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}