CVE-2024-40962: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes Shin'ichiro reported that when he's running fstests' test-case btrfs/167 on emulated zoned devices, he's seeing the following NULL pointer dereference in 'btrfs_zone_finish_endio()': Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] RSP: 0018:ffff88867f107a90 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534 RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028 R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000 R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210 FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die_addr+0x46/0x70 ? exc_general_protection+0x14f/0x250 ? asm_exc_general_protection+0x26/0x30 ? do_raw_read_unlock+0x44/0x70 ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs] ? __pfx_lock_release+0x10/0x10 ? do_raw_write_lock+0x90/0x260 ? __pfx_do_raw_write_lock+0x10/0x10 ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs] ? _raw_write_unlock+0x23/0x40 ? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs] ? lock_acquire+0x435/0x500 btrfs_work_helper+0x1b1/0xa70 [btrfs] ? __schedule+0x10a8/0x60b0 ? __pfx___might_resched+0x10/0x10 process_one_work+0x862/0x1410 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0x1010 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? trace_irq_enable.constprop.0+0xce/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Enabling CONFIG_BTRFS_ASSERT revealed the following assertion to trigger: assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815 This indicates, that we're missing the checksums list on the ordered_extent. As btrfs/167 is doing a NOCOW write this is to be expected. Further analysis with drgn confirmed the assumption: >>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode >>> btrfs_inode = drgn.container_of(inode, "struct btrfs_inode", \ "vfs_inode") >>> print(btrfs_inode.flags) (u32)1 As zoned emulation mode simulates conventional zones on regular devices, we cannot use zone-append for writing. But we're only attaching dummy checksums if we're doing a zone-append write. So for NOCOW zoned data writes on conventional zones, also attach a dummy checksum.
AI Analysis
Technical Summary
CVE-2024-40962 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to zoned block devices. Zoned block devices are a type of storage device that divides the media into zones, which must be written sequentially. The vulnerability arises in the handling of NODATASUM (no data checksum) writes on emulated zoned devices within the Btrfs filesystem. During such writes, the kernel fails to allocate dummy checksums properly, leading to a NULL pointer dereference in the function btrfs_zone_finish_endio(). This results in a general protection fault (kernel crash) due to dereferencing a null pointer, as demonstrated by the crash logs and kernel oops messages provided. The root cause is that for NOCOW (no copy-on-write) zoned data writes on conventional zones, the kernel only attaches dummy checksums if the write is a zone-append operation. However, emulated zoned devices simulate conventional zones on regular devices and do not use zone-append writes for NOCOW operations, causing the checksum list to be missing and triggering the crash. Enabling CONFIG_BTRFS_ASSERT reveals an assertion failure indicating the missing checksum list. The vulnerability was discovered during fstests' test-case btrfs/167 on emulated zoned devices. The fix involves ensuring that dummy checksums are attached for all NOCOW zoned data writes, not just zone-append writes. This vulnerability affects Linux kernel versions including the 6.10.0-rc2-kts+ release candidate and likely other versions with similar Btrfs zoned device handling code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
The vulnerability can cause a kernel panic or system crash on Linux systems using the Btrfs filesystem with zoned block device support, particularly when performing NODATASUM writes on emulated zoned devices. For European organizations, especially those relying on Linux servers with Btrfs and zoned storage (such as advanced storage arrays or certain SSDs configured for zoned operation), this could lead to unexpected downtime, data unavailability, and potential disruption of critical services. While the vulnerability does not directly lead to privilege escalation or data corruption, the denial of service caused by kernel crashes can impact system availability and reliability. Organizations running virtualized environments or container platforms on Linux with Btrfs and zoned devices may experience cascading failures. Since the vulnerability requires specific conditions (NODATASUM writes on emulated zoned devices), the attack surface is somewhat limited, but systems using zoned storage for performance or endurance benefits are at risk. The lack of known exploits reduces immediate threat, but unpatched systems remain vulnerable to accidental crashes or potential targeted exploitation if attackers develop triggers. The impact on confidentiality and integrity is low, but availability impact is medium to high depending on the criticality of affected systems.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-40962 as soon as they become available from trusted sources or Linux distribution vendors. 2. Temporarily disable or avoid using zoned block devices with Btrfs on affected Linux kernel versions until patched. 3. Avoid performing NODATASUM writes on emulated zoned devices if possible, or switch to conventional storage devices without zoned emulation. 4. Monitor kernel logs for signs of btrfs_zone_finish_endio() related crashes or general protection faults indicative of this issue. 5. For organizations using custom or embedded Linux kernels, ensure kernel builds include the fix and test Btrfs zoned device functionality thoroughly. 6. Implement robust system monitoring and automated reboot/recovery procedures to minimize downtime in case of kernel panics. 7. Engage with hardware vendors to confirm compatibility and support for zoned devices and their interaction with Btrfs. 8. Consider alternative filesystems or storage configurations if zoned device support is not critical, to reduce exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
CVE-2024-40962: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes Shin'ichiro reported that when he's running fstests' test-case btrfs/167 on emulated zoned devices, he's seeing the following NULL pointer dereference in 'btrfs_zone_finish_endio()': Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] RSP: 0018:ffff88867f107a90 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534 RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028 R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000 R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210 FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die_addr+0x46/0x70 ? exc_general_protection+0x14f/0x250 ? asm_exc_general_protection+0x26/0x30 ? do_raw_read_unlock+0x44/0x70 ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs] ? __pfx_lock_release+0x10/0x10 ? do_raw_write_lock+0x90/0x260 ? __pfx_do_raw_write_lock+0x10/0x10 ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs] ? _raw_write_unlock+0x23/0x40 ? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs] ? lock_acquire+0x435/0x500 btrfs_work_helper+0x1b1/0xa70 [btrfs] ? __schedule+0x10a8/0x60b0 ? __pfx___might_resched+0x10/0x10 process_one_work+0x862/0x1410 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0x1010 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? trace_irq_enable.constprop.0+0xce/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Enabling CONFIG_BTRFS_ASSERT revealed the following assertion to trigger: assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815 This indicates, that we're missing the checksums list on the ordered_extent. As btrfs/167 is doing a NOCOW write this is to be expected. Further analysis with drgn confirmed the assumption: >>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode >>> btrfs_inode = drgn.container_of(inode, "struct btrfs_inode", \ "vfs_inode") >>> print(btrfs_inode.flags) (u32)1 As zoned emulation mode simulates conventional zones on regular devices, we cannot use zone-append for writing. But we're only attaching dummy checksums if we're doing a zone-append write. So for NOCOW zoned data writes on conventional zones, also attach a dummy checksum.
AI-Powered Analysis
Technical Analysis
CVE-2024-40962 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to zoned block devices. Zoned block devices are a type of storage device that divides the media into zones, which must be written sequentially. The vulnerability arises in the handling of NODATASUM (no data checksum) writes on emulated zoned devices within the Btrfs filesystem. During such writes, the kernel fails to allocate dummy checksums properly, leading to a NULL pointer dereference in the function btrfs_zone_finish_endio(). This results in a general protection fault (kernel crash) due to dereferencing a null pointer, as demonstrated by the crash logs and kernel oops messages provided. The root cause is that for NOCOW (no copy-on-write) zoned data writes on conventional zones, the kernel only attaches dummy checksums if the write is a zone-append operation. However, emulated zoned devices simulate conventional zones on regular devices and do not use zone-append writes for NOCOW operations, causing the checksum list to be missing and triggering the crash. Enabling CONFIG_BTRFS_ASSERT reveals an assertion failure indicating the missing checksum list. The vulnerability was discovered during fstests' test-case btrfs/167 on emulated zoned devices. The fix involves ensuring that dummy checksums are attached for all NOCOW zoned data writes, not just zone-append writes. This vulnerability affects Linux kernel versions including the 6.10.0-rc2-kts+ release candidate and likely other versions with similar Btrfs zoned device handling code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
The vulnerability can cause a kernel panic or system crash on Linux systems using the Btrfs filesystem with zoned block device support, particularly when performing NODATASUM writes on emulated zoned devices. For European organizations, especially those relying on Linux servers with Btrfs and zoned storage (such as advanced storage arrays or certain SSDs configured for zoned operation), this could lead to unexpected downtime, data unavailability, and potential disruption of critical services. While the vulnerability does not directly lead to privilege escalation or data corruption, the denial of service caused by kernel crashes can impact system availability and reliability. Organizations running virtualized environments or container platforms on Linux with Btrfs and zoned devices may experience cascading failures. Since the vulnerability requires specific conditions (NODATASUM writes on emulated zoned devices), the attack surface is somewhat limited, but systems using zoned storage for performance or endurance benefits are at risk. The lack of known exploits reduces immediate threat, but unpatched systems remain vulnerable to accidental crashes or potential targeted exploitation if attackers develop triggers. The impact on confidentiality and integrity is low, but availability impact is medium to high depending on the criticality of affected systems.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-40962 as soon as they become available from trusted sources or Linux distribution vendors. 2. Temporarily disable or avoid using zoned block devices with Btrfs on affected Linux kernel versions until patched. 3. Avoid performing NODATASUM writes on emulated zoned devices if possible, or switch to conventional storage devices without zoned emulation. 4. Monitor kernel logs for signs of btrfs_zone_finish_endio() related crashes or general protection faults indicative of this issue. 5. For organizations using custom or embedded Linux kernels, ensure kernel builds include the fix and test Btrfs zoned device functionality thoroughly. 6. Implement robust system monitoring and automated reboot/recovery procedures to minimize downtime in case of kernel panics. 7. Engage with hardware vendors to confirm compatibility and support for zoned devices and their interaction with Btrfs. 8. Consider alternative filesystems or storage configurations if zoned device support is not critical, to reduce exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.594Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe14e4
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:54:56 AM
Last updated: 8/5/2025, 6:51:47 PM
Views: 12
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.