CVE-2024-35949: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: make sure that WRITTEN is set on all metadata blocks We previously would call btrfs_check_leaf() if we had the check integrity code enabled, which meant that we could only run the extended leaf checks if we had WRITTEN set on the header flags. This leaves a gap in our checking, because we could end up with corruption on disk where WRITTEN isn't set on the leaf, and then the extended leaf checks don't get run which we rely on to validate all of the item pointers to make sure we don't access memory outside of the extent buffer. However, since 732fab95abe2 ("btrfs: check-integrity: remove CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only ever call it on blocks that are being written out, and thus have WRITTEN set, or that are being read in, which should have WRITTEN set. Add checks to make sure we have WRITTEN set appropriately, and then make sure __btrfs_check_leaf() always does the item checking. This will protect us from file systems that have been corrupted and no longer have WRITTEN set on some of the blocks. This was hit on a crafted image tweaking the WRITTEN bit and reported by KASAN as out-of-bound access in the eb accessors. The example is a dir item at the end of an eb. [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2 [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f] [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1 [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0 [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206 [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0 [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748 [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9 [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8 [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0 [2.621] Call Trace: [2.621] <TASK> [2.621] ? show_regs+0x74/0x80 [2.621] ? die_addr+0x46/0xc0 [2.621] ? exc_general_protection+0x161/0x2a0 [2.621] ? asm_exc_general_protection+0x26/0x30 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? btrfs_get_16+0x34b/0x6d0 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? __pfx_btrfs_get_16+0x10/0x10 [2.621] ? __pfx_mutex_unlock+0x10/0x10 [2.621] btrfs_match_dir_item_name+0x101/0x1a0 [2.621] btrfs_lookup_dir_item+0x1f3/0x280 [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10 [2.621] btrfs_get_tree+0xd25/0x1910 [ copy more details from report ]
AI Analysis
Technical Summary
CVE-2024-35949 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to metadata integrity checking. Btrfs uses metadata blocks to manage filesystem structures, and the kernel relies on a WRITTEN flag to indicate that these blocks have been properly written and validated. The vulnerability arises because the kernel's integrity checking code previously only performed extended leaf checks on metadata blocks if the WRITTEN flag was set. However, due to changes in the kernel code (notably the removal of the CONFIG_BTRFS_FS_CHECK_INTEGRITY option), the function btrfs_check_leaf() is only called on blocks being written out or read in, which should have the WRITTEN flag set. This creates a gap where corrupted filesystem images with manipulated WRITTEN bits can bypass these integrity checks. Specifically, if the WRITTEN bit is not set on some leaf blocks, the extended leaf checks that validate item pointers (to prevent out-of-bounds memory access) are skipped. An attacker can craft a malicious Btrfs image that tweaks the WRITTEN bit to cause out-of-bounds memory access, leading to potential kernel crashes (general protection faults) or memory corruption. The vulnerability was discovered through KASAN (Kernel Address Sanitizer) reports indicating wild memory accesses and general protection faults during mount operations on a crafted image. The issue affects Linux kernel versions including commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and was addressed by adding checks to ensure the WRITTEN flag is set appropriately and that __btrfs_check_leaf() always performs item pointer validation regardless of the WRITTEN flag state. This fix protects against corrupted filesystems that could otherwise bypass critical integrity checks, preventing potential exploitation scenarios such as kernel memory corruption or denial of service.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux with Btrfs filesystems, especially those that mount untrusted or externally sourced Btrfs images. The impact includes potential kernel crashes leading to denial of service, and possibly memory corruption that could be leveraged for privilege escalation or arbitrary code execution, although no known exploits are reported in the wild yet. Organizations relying on Btrfs for critical storage, such as cloud providers, hosting services, or enterprises using Linux-based infrastructure, could face system instability or data integrity issues if exposed to crafted malicious images. The vulnerability could be exploited by attackers who can supply or manipulate Btrfs images, for example via compromised storage media, network shares, or container images. This risk is heightened in environments where Linux systems are used for virtualization, containerization, or as file servers. The lack of a CVSS score and no known exploits suggest the threat is not yet widespread, but the potential for kernel-level memory corruption makes it a high-risk vulnerability requiring prompt attention.
Mitigation Recommendations
European organizations should immediately update their Linux kernels to versions that include the patch for CVE-2024-35949. Since the vulnerability involves the Btrfs filesystem, organizations should audit their use of Btrfs, especially in environments where untrusted Btrfs images or snapshots are mounted. Specific mitigation steps include: 1) Apply the latest Linux kernel updates from trusted vendors that address this vulnerability. 2) Avoid mounting untrusted or unauthenticated Btrfs images or snapshots. 3) Implement strict access controls and integrity verification on storage media and images to prevent tampering with the WRITTEN flag or other metadata. 4) Use kernel hardening features such as KASAN and other memory protection mechanisms in testing environments to detect similar issues proactively. 5) For environments using containerization or virtualization, ensure base images and snapshots are verified and updated. 6) Monitor kernel logs for Btrfs warnings or errors indicative of corruption or exploitation attempts. 7) Consider fallback to more mature filesystems if Btrfs is not essential, until the environment is fully patched and tested. These steps go beyond generic advice by focusing on controlling the source and integrity of Btrfs images and ensuring kernel updates are applied promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-35949: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: make sure that WRITTEN is set on all metadata blocks We previously would call btrfs_check_leaf() if we had the check integrity code enabled, which meant that we could only run the extended leaf checks if we had WRITTEN set on the header flags. This leaves a gap in our checking, because we could end up with corruption on disk where WRITTEN isn't set on the leaf, and then the extended leaf checks don't get run which we rely on to validate all of the item pointers to make sure we don't access memory outside of the extent buffer. However, since 732fab95abe2 ("btrfs: check-integrity: remove CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only ever call it on blocks that are being written out, and thus have WRITTEN set, or that are being read in, which should have WRITTEN set. Add checks to make sure we have WRITTEN set appropriately, and then make sure __btrfs_check_leaf() always does the item checking. This will protect us from file systems that have been corrupted and no longer have WRITTEN set on some of the blocks. This was hit on a crafted image tweaking the WRITTEN bit and reported by KASAN as out-of-bound access in the eb accessors. The example is a dir item at the end of an eb. [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2 [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f] [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1 [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0 [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206 [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0 [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748 [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9 [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8 [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0 [2.621] Call Trace: [2.621] <TASK> [2.621] ? show_regs+0x74/0x80 [2.621] ? die_addr+0x46/0xc0 [2.621] ? exc_general_protection+0x161/0x2a0 [2.621] ? asm_exc_general_protection+0x26/0x30 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? btrfs_get_16+0x34b/0x6d0 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? __pfx_btrfs_get_16+0x10/0x10 [2.621] ? __pfx_mutex_unlock+0x10/0x10 [2.621] btrfs_match_dir_item_name+0x101/0x1a0 [2.621] btrfs_lookup_dir_item+0x1f3/0x280 [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10 [2.621] btrfs_get_tree+0xd25/0x1910 [ copy more details from report ]
AI-Powered Analysis
Technical Analysis
CVE-2024-35949 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to metadata integrity checking. Btrfs uses metadata blocks to manage filesystem structures, and the kernel relies on a WRITTEN flag to indicate that these blocks have been properly written and validated. The vulnerability arises because the kernel's integrity checking code previously only performed extended leaf checks on metadata blocks if the WRITTEN flag was set. However, due to changes in the kernel code (notably the removal of the CONFIG_BTRFS_FS_CHECK_INTEGRITY option), the function btrfs_check_leaf() is only called on blocks being written out or read in, which should have the WRITTEN flag set. This creates a gap where corrupted filesystem images with manipulated WRITTEN bits can bypass these integrity checks. Specifically, if the WRITTEN bit is not set on some leaf blocks, the extended leaf checks that validate item pointers (to prevent out-of-bounds memory access) are skipped. An attacker can craft a malicious Btrfs image that tweaks the WRITTEN bit to cause out-of-bounds memory access, leading to potential kernel crashes (general protection faults) or memory corruption. The vulnerability was discovered through KASAN (Kernel Address Sanitizer) reports indicating wild memory accesses and general protection faults during mount operations on a crafted image. The issue affects Linux kernel versions including commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and was addressed by adding checks to ensure the WRITTEN flag is set appropriately and that __btrfs_check_leaf() always performs item pointer validation regardless of the WRITTEN flag state. This fix protects against corrupted filesystems that could otherwise bypass critical integrity checks, preventing potential exploitation scenarios such as kernel memory corruption or denial of service.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux with Btrfs filesystems, especially those that mount untrusted or externally sourced Btrfs images. The impact includes potential kernel crashes leading to denial of service, and possibly memory corruption that could be leveraged for privilege escalation or arbitrary code execution, although no known exploits are reported in the wild yet. Organizations relying on Btrfs for critical storage, such as cloud providers, hosting services, or enterprises using Linux-based infrastructure, could face system instability or data integrity issues if exposed to crafted malicious images. The vulnerability could be exploited by attackers who can supply or manipulate Btrfs images, for example via compromised storage media, network shares, or container images. This risk is heightened in environments where Linux systems are used for virtualization, containerization, or as file servers. The lack of a CVSS score and no known exploits suggest the threat is not yet widespread, but the potential for kernel-level memory corruption makes it a high-risk vulnerability requiring prompt attention.
Mitigation Recommendations
European organizations should immediately update their Linux kernels to versions that include the patch for CVE-2024-35949. Since the vulnerability involves the Btrfs filesystem, organizations should audit their use of Btrfs, especially in environments where untrusted Btrfs images or snapshots are mounted. Specific mitigation steps include: 1) Apply the latest Linux kernel updates from trusted vendors that address this vulnerability. 2) Avoid mounting untrusted or unauthenticated Btrfs images or snapshots. 3) Implement strict access controls and integrity verification on storage media and images to prevent tampering with the WRITTEN flag or other metadata. 4) Use kernel hardening features such as KASAN and other memory protection mechanisms in testing environments to detect similar issues proactively. 5) For environments using containerization or virtualization, ensure base images and snapshots are verified and updated. 6) Monitor kernel logs for Btrfs warnings or errors indicative of corruption or exploitation attempts. 7) Consider fallback to more mature filesystems if Btrfs is not essential, until the environment is fully patched and tested. These steps go beyond generic advice by focusing on controlling the source and integrity of Btrfs images and ensuring kernel updates are applied promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.134Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2253
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 8:26:34 AM
Last updated: 8/4/2025, 5:32:32 AM
Views: 9
Related Threats
CVE-2025-8975: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.