CVE-2024-35849: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.
AI Analysis
Technical Summary
CVE-2024-35849 is an information leak vulnerability found in the Linux kernel's Btrfs filesystem implementation, specifically in the btrfs_ioctl_logical_to_ino() function. The vulnerability arises because the kernel copies a 'struct btrfs_data_container' back to user space without properly zero-initializing the allocated memory. The structure is allocated using kvmalloc(), which does not zero-fill the memory, resulting in uninitialized data being exposed to user space. This can leak kernel memory contents, potentially disclosing sensitive information. The issue was identified by Syzbot through Kernel Memory Sanitizer (KMSAN) reports, which detected uninitialized memory usage during the copy_to_user operation. The root cause is that the btrfs_data_container allocated in init_data_container() is not zeroed before being copied out. The fix involves replacing kvmalloc() with kvzalloc(), which zeroes the memory upon allocation, preventing leakage of uninitialized kernel memory. This vulnerability affects Linux kernel versions containing the specified commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and likely earlier versions before the patch. No known exploits are reported in the wild as of the publication date (May 17, 2024). The vulnerability does not require user interaction but does require the ability to invoke the btrfs_ioctl_logical_to_ino() ioctl, which typically requires local access or privileges to interact with Btrfs filesystems via ioctl calls. The impact is an information leak that could aid attackers in bypassing kernel address space layout randomization (KASLR) or gaining insights into kernel memory layout, which can be leveraged for further privilege escalation or kernel exploitation.
Potential Impact
For European organizations, the impact of CVE-2024-35849 depends on the prevalence of Linux systems using the Btrfs filesystem, particularly in server environments, cloud infrastructure, and enterprise storage solutions. Organizations running Linux kernels with vulnerable Btrfs implementations may be at risk of kernel memory disclosure. While the vulnerability itself is an information leak and does not directly allow code execution or privilege escalation, the leaked information can facilitate more sophisticated attacks such as bypassing kernel security mitigations or crafting targeted exploits. This is especially critical for organizations handling sensitive data or operating critical infrastructure where kernel-level security is paramount. The vulnerability could be exploited by local attackers or malicious insiders with access to the system to gain kernel memory insights, increasing the risk of subsequent privilege escalation attacks. European sectors such as finance, telecommunications, government, and cloud service providers that rely on Linux servers with Btrfs may face increased risk if patches are not applied promptly. Additionally, the vulnerability could affect embedded Linux devices or appliances using Btrfs, which are common in industrial and IoT contexts within Europe.
Mitigation Recommendations
To mitigate CVE-2024-35849, European organizations should: 1) Apply the official Linux kernel patches that replace kvmalloc() with kvzalloc() in the btrfs_ioctl_logical_to_ino() function as soon as they become available from their Linux distribution vendors or kernel maintainers. 2) If immediate patching is not feasible, consider disabling or restricting access to Btrfs ioctl interfaces, especially btrfs_ioctl_logical_to_ino(), to untrusted or non-administrative users to limit exploitation vectors. 3) Monitor and audit local user activities on Linux systems with Btrfs to detect unusual ioctl usage or attempts to access kernel memory via this interface. 4) Employ kernel hardening and exploit mitigation techniques such as KASLR, SELinux/AppArmor policies, and mandatory access controls to reduce the impact of information leaks. 5) Maintain up-to-date inventories of Linux kernel versions and filesystems in use to prioritize patching efforts. 6) For cloud or virtualized environments, ensure that host and guest kernels are patched to prevent cross-VM or container breakout attempts leveraging kernel memory disclosures. 7) Educate system administrators about the risks of unpatched kernel vulnerabilities and the importance of timely updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-35849: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.
AI-Powered Analysis
Technical Analysis
CVE-2024-35849 is an information leak vulnerability found in the Linux kernel's Btrfs filesystem implementation, specifically in the btrfs_ioctl_logical_to_ino() function. The vulnerability arises because the kernel copies a 'struct btrfs_data_container' back to user space without properly zero-initializing the allocated memory. The structure is allocated using kvmalloc(), which does not zero-fill the memory, resulting in uninitialized data being exposed to user space. This can leak kernel memory contents, potentially disclosing sensitive information. The issue was identified by Syzbot through Kernel Memory Sanitizer (KMSAN) reports, which detected uninitialized memory usage during the copy_to_user operation. The root cause is that the btrfs_data_container allocated in init_data_container() is not zeroed before being copied out. The fix involves replacing kvmalloc() with kvzalloc(), which zeroes the memory upon allocation, preventing leakage of uninitialized kernel memory. This vulnerability affects Linux kernel versions containing the specified commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and likely earlier versions before the patch. No known exploits are reported in the wild as of the publication date (May 17, 2024). The vulnerability does not require user interaction but does require the ability to invoke the btrfs_ioctl_logical_to_ino() ioctl, which typically requires local access or privileges to interact with Btrfs filesystems via ioctl calls. The impact is an information leak that could aid attackers in bypassing kernel address space layout randomization (KASLR) or gaining insights into kernel memory layout, which can be leveraged for further privilege escalation or kernel exploitation.
Potential Impact
For European organizations, the impact of CVE-2024-35849 depends on the prevalence of Linux systems using the Btrfs filesystem, particularly in server environments, cloud infrastructure, and enterprise storage solutions. Organizations running Linux kernels with vulnerable Btrfs implementations may be at risk of kernel memory disclosure. While the vulnerability itself is an information leak and does not directly allow code execution or privilege escalation, the leaked information can facilitate more sophisticated attacks such as bypassing kernel security mitigations or crafting targeted exploits. This is especially critical for organizations handling sensitive data or operating critical infrastructure where kernel-level security is paramount. The vulnerability could be exploited by local attackers or malicious insiders with access to the system to gain kernel memory insights, increasing the risk of subsequent privilege escalation attacks. European sectors such as finance, telecommunications, government, and cloud service providers that rely on Linux servers with Btrfs may face increased risk if patches are not applied promptly. Additionally, the vulnerability could affect embedded Linux devices or appliances using Btrfs, which are common in industrial and IoT contexts within Europe.
Mitigation Recommendations
To mitigate CVE-2024-35849, European organizations should: 1) Apply the official Linux kernel patches that replace kvmalloc() with kvzalloc() in the btrfs_ioctl_logical_to_ino() function as soon as they become available from their Linux distribution vendors or kernel maintainers. 2) If immediate patching is not feasible, consider disabling or restricting access to Btrfs ioctl interfaces, especially btrfs_ioctl_logical_to_ino(), to untrusted or non-administrative users to limit exploitation vectors. 3) Monitor and audit local user activities on Linux systems with Btrfs to detect unusual ioctl usage or attempts to access kernel memory via this interface. 4) Employ kernel hardening and exploit mitigation techniques such as KASLR, SELinux/AppArmor policies, and mandatory access controls to reduce the impact of information leaks. 5) Maintain up-to-date inventories of Linux kernel versions and filesystems in use to prioritize patching efforts. 6) For cloud or virtualized environments, ensure that host and guest kernels are patched to prevent cross-VM or container breakout attempts leveraging kernel memory disclosures. 7) Educate system administrators about the risks of unpatched kernel vulnerabilities and the importance of timely updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.105Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3641
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:39:45 PM
Last updated: 8/2/2025, 7:19:33 AM
Views: 14
Related Threats
CVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumCVE-2025-9024: SQL Injection in PHPGurukul Beauty Parlour Management System
MediumCVE-2025-9023: Buffer Overflow in Tenda AC7
HighCVE-2025-8905: CWE-94 Improper Control of Generation of Code ('Code Injection') in inpersttion Inpersttion For Theme
MediumCVE-2025-8720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in morehawes Plugin README Parser
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.