CVE-2024-26794: Vulnerability in Linux Linux

Severity: mediumType: vulnerabilityCVE-2024-26794

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between ordered extent completion and fiemap For fiemap we recently stopped locking the target extent range for the whole duration of the fiemap call, in order to avoid a deadlock in a scenario where the fiemap buffer happens to be a memory mapped range of the same file. This use case is very unlikely to be useful in practice but it may be triggered by fuzz testing (syzbot, etc). However by not locking the target extent range for the whole duration of the fiemap call we can race with an ordered extent. This happens like this: 1) The fiemap task finishes processing a file extent item that covers the file range [512K, 1M[, and that file extent item is the last item in the leaf currently being processed; 2) And ordered extent for the file range [768K, 2M[, in COW mode, completes (btrfs_finish_one_ordered()) and the file extent item covering the range [512K, 1M[ is trimmed to cover the range [512K, 768K[ and then a new file extent item for the range [768K, 2M[ is inserted in the inode's subvolume tree; 3) The fiemap task calls fiemap_next_leaf_item(), which then calls btrfs_next_leaf() to find the next leaf / item. This finds that the the next key following the one we previously processed (its type is BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding to the new file extent item inserted by the ordered extent, which has a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K; 4) Later the fiemap code ends up at emit_fiemap_extent() and triggers the warning: if (cache->offset + cache->len > offset) { WARN_ON(1); return -EINVAL; } Since we get 1M > 768K, because the previously emitted entry for the old extent covering the file range [512K, 1M[ ends at an offset that is greater than the new extent's start offset (768K). This makes fiemap fail with -EINVAL besides triggering the warning that produces a stack trace like the following: [1621.677651] ------------[ cut here ]------------ [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs] [1621.677899] Modules linked in: btrfs blake2b_generic (...) [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1 [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs] [1621.678033] Code: 2b 4c 89 63 (...) [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206 [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000 [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90 [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000 [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000 [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850 [1621.678044] FS: 00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000 [1621.678046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0 [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1621.678056] Call Trace: [1621.678074] <TASK> [1621.678076] ? __warn+0x80/0x130 [1621.678082] ? emit_fiemap_extent+0x84/0x90 [btrfs] [1621.678159] ? report_bug+0x1f4/0x200 [1621.678164] ? handle_bug+0x42/0x70 [1621.678167] ? exc_invalid_op+0x14/0x70 [1621.678170] ? asm_exc_invalid_op+0x16/0x20 [1621.678178] ? emit_fiemap_extent+0x84/0x90 [btrfs] [1621.678253] extent_fiemap+0x766 ---truncated---

AI Analysis

Technical Summary

CVE-2024-26794 is a medium severity vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically involving a race condition between ordered extent completion and the fiemap ioctl call. The fiemap ioctl is used to retrieve file extent mappings, which describe how file data is laid out on disk. To avoid deadlocks in scenarios where the fiemap buffer is memory-mapped to the same file, recent kernel changes removed locking of the target extent range for the entire duration of the fiemap call. However, this introduced a race condition with ordered extents, which are used in copy-on-write (COW) mode to track pending writes to file extents. The race occurs when the fiemap task processes a file extent item covering a certain file range, and concurrently, an ordered extent overlapping that range completes and modifies the extent items in the inode's subvolume tree. This leads to a situation where the fiemap code encounters inconsistent extent boundaries, triggering a kernel warning and causing the fiemap call to fail with an -EINVAL error. The warning is accompanied by a kernel stack trace indicating the failure point in the btrfs extent_io.c source file. While this vulnerability does not appear to allow direct code execution or privilege escalation, it can cause denial of service by crashing or destabilizing processes that rely on fiemap calls on Btrfs filesystems. The vulnerability affects specific Linux kernel versions identified by commit hashes and was publicly disclosed on April 4, 2024. The CVSS 3.1 score is 5.3 (medium), reflecting a network attack vector with low complexity, no privileges required, no user interaction, and impact limited to availability (denial of service). No known exploits are reported in the wild at this time.

Potential Impact

For European organizations, the impact of CVE-2024-26794 primarily involves potential denial of service conditions on systems using the Btrfs filesystem. Btrfs is increasingly popular in enterprise Linux distributions and cloud environments due to its advanced features like snapshots and checksumming. Organizations running critical infrastructure, file servers, or container hosts on Btrfs-formatted volumes could experience application crashes or system instability when fiemap calls fail unexpectedly. This could disrupt file integrity monitoring, backup solutions, or any software relying on extent mapping. Although the vulnerability does not lead to data corruption or privilege escalation, the denial of service could impact availability of services, especially in environments with high I/O workloads or automated file system scanning. Given the medium severity and no known active exploitation, the immediate risk is moderate but should be addressed promptly to avoid operational disruptions.

Mitigation Recommendations

To mitigate CVE-2024-26794, European organizations should: 1. Apply the latest Linux kernel patches that fix the race condition in the Btrfs fiemap implementation as soon as they become available from their distribution vendors or kernel maintainers. 2. Where possible, avoid running critical services on Btrfs filesystems until patched, or consider temporarily migrating critical data to more stable filesystems like ext4 or XFS. 3. Monitor kernel logs for warnings related to emit_fiemap_extent or fiemap failures that could indicate attempts to trigger this race condition. 4. Implement robust system monitoring and alerting to detect unexpected process crashes or filesystem errors that may arise from this issue. 5. For environments using fuzz testing or automated file system scanning tools, review and adjust configurations to minimize triggering this race. 6. Coordinate with vendors and cloud providers to ensure underlying infrastructure is patched promptly. These steps go beyond generic advice by focusing on filesystem-specific mitigations, monitoring for indicative kernel warnings, and operational adjustments to reduce exposure until patches are deployed.