CVE-2024-56759: Linux Kernel BTRFS Use-After-Free Vulnerability Resolved, Mitigates Potential Exploits

A recent vulnerability, identified as CVE-2024-56759, has been discovered in the Linux kernel, specifically affecting the BTRFS file system. The issue arises from a use-after-free situation when performing a copy-on-write (COW) operation on a tree block while tracing is enabled. This article will explain the nature of the vulnerability, share code snippets, and provide links to original references, as well as discuss how the Linux kernel has been updated to resolve this issue.

Vulnerability Details

The vulnerability is triggered when a COW operation is performed on a tree block using the btrfs_cow_block() function, while having the tracepoint trace_btrfs_cow_block() enabled and preemption configured (with CONFIG_PREEMPT=y). In scenarios where the last reference on the extent buffer is held, such as in the btrfs_search_slot() function, the btrfs_force_cow_block() function drops this reference on the extent buffer by calling free_extent_buffer_stale(buf). This schedules the extent buffer's release using RCU (Read Copy Update), but due to the kernel's preemption, the current task may be preempted before the trace_btrfs_cow_block() function is called. As a result, the extent buffer could already be released by the time trace_btrfs_cow_block() is invoked, leading to a use-after-free situation.

Resolution

The fix involves moving the trace_btrfs_cow_block() function from btrfs_cow_block() to btrfs_force_cow_block(), before the COWed extent buffer is freed. This update not only mitigates the vulnerability but also invokes the tracepoint in the tree defrag code (found at defrag.c:btrfs_realloc_node()), which was previously missing.

Code Snippet

/* Original Vulnerable Code */
int btrfs_cow_block(...) {
  ...
  ret = btrfs_force_cow_block(...);
  ...
  trace_btrfs_cow_block(...);
  ...
}

/* Updated Code */
int btrfs_force_cow_block(...) {
  ...
  trace_btrfs_cow_block(...); // Moved from btrfs_cow_block()
  ...
  free_extent_buffer_stale(buf); // Freeing the extent buffer
  ...
}

Original References

- Official Linux kernel commit detailing the resolution: commit link
- Linux kernel mailing list discussion on the vulnerability: email thread link

Conclusion

CVE-2024-56759, a use-after-free vulnerability found in the Linux kernel's BTRFS file system, posed a potentially severe exploit risk. Thankfully, the Linux kernel developers have released a patch that successfully addresses this issue by rearranging the tracepoint function and mitigating the risk of premature preemption. Users are encouraged to update their Linux kernel to leverage this important security fix.

Timeline

Published on: 01/06/2025 17:15:40 UTC
Last modified on: 01/20/2025 06:27:32 UTC