CVE-2024-49869: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: send: fix buffer overflow detection when copying path to cache entry Starting with commit c0247d289e73 ("btrfs: send: annotate struct name_cache_entry with __counted_by()") we annotated the variable length array "name" from the name_cache_entry structure with __counted_by() to improve overflow detection. However that alone was not correct, because the length of that array does not match the "name_len" field - it matches that plus 1 to include the NUL string terminator, so that makes a fortified kernel think there's an overflow and report a splat like this: strcpy: detected buffer overflow: 20 byte write of buffer size 19 WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50 CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1 Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018 RIP: 0010:__fortify_report+0x45/0x50 Code: 48 8b 34 (...) RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246 RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027 RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8 RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400 R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8 FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0 Call Trace: <TASK> ? __warn+0x12a/0x1d0 ? __fortify_report+0x45/0x50 ? report_bug+0x154/0x1c0 ? handle_bug+0x42/0x70 ? exc_invalid_op+0x1a/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? __fortify_report+0x45/0x50 __fortify_panic+0x9/0x10 __get_cur_name_and_parent+0x3bc/0x3c0 get_cur_path+0x207/0x3b0 send_extent_data+0x709/0x10d0 ? find_parent_nodes+0x22df/0x25d0 ? mas_nomem+0x13/0x90 ? mtree_insert_range+0xa5/0x110 ? btrfs_lru_cache_store+0x5f/0x1e0 ? iterate_extent_inodes+0x52d/0x5a0 process_extent+0xa96/0x11a0 ? __pfx_lookup_backref_cache+0x10/0x10 ? __pfx_store_backref_cache+0x10/0x10 ? __pfx_iterate_backrefs+0x10/0x10 ? __pfx_check_extent_item+0x10/0x10 changed_cb+0x6fa/0x930 ? tree_advance+0x362/0x390 ? memcmp_extent_buffer+0xd7/0x160 send_subvol+0xf0a/0x1520 btrfs_ioctl_send+0x106b/0x11d0 ? __pfx___clone_root_cmp_sort+0x10/0x10 _btrfs_ioctl_send+0x1ac/0x240 btrfs_ioctl+0x75b/0x850 __se_sys_ioctl+0xca/0x150 do_syscall_64+0x85/0x160 ? __count_memcg_events+0x69/0x100 ? handle_mm_fault+0x1327/0x15c0 ? __se_sys_rt_sigprocmask+0xf1/0x180 ? syscall_exit_to_user_mode+0x75/0xa0 ? do_syscall_64+0x91/0x160 ? do_user_addr_fault+0x21d/0x630 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fae145eeb4f Code: 00 48 89 (...) RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004 RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927 R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8 R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004 </TASK> Fix this by not storing the NUL string terminator since we don't actually need it for name cache entries, this way "name_len" corresponds to the actual size of the "name" array. This requires marking the "name" array field with __nonstring and using memcpy() instead of strcpy() as recommended by the guidelines at: https://github.com/KSPP/linux/issues/90
AI Analysis
Technical Summary
CVE-2024-49869 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically in the 'send' functionality which is used for sending incremental filesystem changes. The issue arises from incorrect buffer overflow detection related to the handling of the 'name_cache_entry' structure's variable length array 'name'. Initially, the 'name' array was annotated with __counted_by() to improve overflow detection, but this annotation did not account for the NUL string terminator, causing the fortified kernel to mistakenly detect a buffer overflow and trigger a kernel panic (splat). The root cause is that the length of the 'name' array should correspond to 'name_len' plus one byte for the NUL terminator, but the code treated it as just 'name_len', leading to false positives in overflow detection. The fix involved not storing the NUL terminator in the cache entry since it is unnecessary, marking the 'name' array with __nonstring, and replacing strcpy() with memcpy() to comply with kernel coding guidelines. This correction aligns the 'name_len' field with the actual size of the 'name' array and prevents erroneous overflow detection and kernel crashes. The vulnerability does not appear to be exploitable for privilege escalation or remote code execution directly, but it can cause denial of service (DoS) through kernel panics when Btrfs send operations are performed. The vulnerability affects Linux kernel versions starting from commit c0247d289e73 and is relevant to systems using Btrfs. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2024-49869 is the potential for denial of service due to kernel panics triggered by the Btrfs send operation. Organizations relying on Btrfs for storage, backup, or replication may experience unexpected system crashes, leading to service interruptions, data unavailability, and operational disruptions. This is particularly critical for enterprises using Btrfs in production environments such as data centers, cloud providers, and infrastructure hosting critical applications. While the vulnerability does not directly lead to data breaches or privilege escalation, the availability impact can affect business continuity and service level agreements. Additionally, kernel panics can complicate incident response and recovery efforts, increasing downtime. European organizations with strict uptime requirements or those operating critical infrastructure should prioritize patching to avoid disruption. The vulnerability also highlights the importance of kernel fortification and memory safety in filesystem code, which is a common attack surface in Linux-based systems.
Mitigation Recommendations
To mitigate CVE-2024-49869, European organizations should: 1) Apply the official Linux kernel patches that fix the buffer overflow detection logic in the Btrfs send code. This involves updating to a kernel version that includes the fix from commit c0247d289e73 or later. 2) If immediate patching is not feasible, temporarily avoid using the Btrfs send functionality, especially in automated backup or replication workflows, to prevent triggering the kernel panic. 3) Monitor kernel logs for fortify_report warnings or splat messages related to strcpy buffer overflows in Btrfs operations as early indicators of attempted exploitation or accidental triggers. 4) Conduct thorough testing of kernel updates in staging environments before deployment to ensure stability and compatibility. 5) Maintain robust backup and recovery procedures to minimize impact from potential system crashes. 6) Consider using alternative filesystems for critical workloads if Btrfs usage is extensive and patching is delayed. 7) Engage with Linux distribution vendors for timely security updates and advisories related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-49869: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: send: fix buffer overflow detection when copying path to cache entry Starting with commit c0247d289e73 ("btrfs: send: annotate struct name_cache_entry with __counted_by()") we annotated the variable length array "name" from the name_cache_entry structure with __counted_by() to improve overflow detection. However that alone was not correct, because the length of that array does not match the "name_len" field - it matches that plus 1 to include the NUL string terminator, so that makes a fortified kernel think there's an overflow and report a splat like this: strcpy: detected buffer overflow: 20 byte write of buffer size 19 WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50 CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1 Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018 RIP: 0010:__fortify_report+0x45/0x50 Code: 48 8b 34 (...) RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246 RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027 RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8 RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400 R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8 FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0 Call Trace: <TASK> ? __warn+0x12a/0x1d0 ? __fortify_report+0x45/0x50 ? report_bug+0x154/0x1c0 ? handle_bug+0x42/0x70 ? exc_invalid_op+0x1a/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? __fortify_report+0x45/0x50 __fortify_panic+0x9/0x10 __get_cur_name_and_parent+0x3bc/0x3c0 get_cur_path+0x207/0x3b0 send_extent_data+0x709/0x10d0 ? find_parent_nodes+0x22df/0x25d0 ? mas_nomem+0x13/0x90 ? mtree_insert_range+0xa5/0x110 ? btrfs_lru_cache_store+0x5f/0x1e0 ? iterate_extent_inodes+0x52d/0x5a0 process_extent+0xa96/0x11a0 ? __pfx_lookup_backref_cache+0x10/0x10 ? __pfx_store_backref_cache+0x10/0x10 ? __pfx_iterate_backrefs+0x10/0x10 ? __pfx_check_extent_item+0x10/0x10 changed_cb+0x6fa/0x930 ? tree_advance+0x362/0x390 ? memcmp_extent_buffer+0xd7/0x160 send_subvol+0xf0a/0x1520 btrfs_ioctl_send+0x106b/0x11d0 ? __pfx___clone_root_cmp_sort+0x10/0x10 _btrfs_ioctl_send+0x1ac/0x240 btrfs_ioctl+0x75b/0x850 __se_sys_ioctl+0xca/0x150 do_syscall_64+0x85/0x160 ? __count_memcg_events+0x69/0x100 ? handle_mm_fault+0x1327/0x15c0 ? __se_sys_rt_sigprocmask+0xf1/0x180 ? syscall_exit_to_user_mode+0x75/0xa0 ? do_syscall_64+0x91/0x160 ? do_user_addr_fault+0x21d/0x630 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fae145eeb4f Code: 00 48 89 (...) RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004 RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927 R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8 R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004 </TASK> Fix this by not storing the NUL string terminator since we don't actually need it for name cache entries, this way "name_len" corresponds to the actual size of the "name" array. This requires marking the "name" array field with __nonstring and using memcpy() instead of strcpy() as recommended by the guidelines at: https://github.com/KSPP/linux/issues/90
AI-Powered Analysis
Technical Analysis
CVE-2024-49869 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically in the 'send' functionality which is used for sending incremental filesystem changes. The issue arises from incorrect buffer overflow detection related to the handling of the 'name_cache_entry' structure's variable length array 'name'. Initially, the 'name' array was annotated with __counted_by() to improve overflow detection, but this annotation did not account for the NUL string terminator, causing the fortified kernel to mistakenly detect a buffer overflow and trigger a kernel panic (splat). The root cause is that the length of the 'name' array should correspond to 'name_len' plus one byte for the NUL terminator, but the code treated it as just 'name_len', leading to false positives in overflow detection. The fix involved not storing the NUL terminator in the cache entry since it is unnecessary, marking the 'name' array with __nonstring, and replacing strcpy() with memcpy() to comply with kernel coding guidelines. This correction aligns the 'name_len' field with the actual size of the 'name' array and prevents erroneous overflow detection and kernel crashes. The vulnerability does not appear to be exploitable for privilege escalation or remote code execution directly, but it can cause denial of service (DoS) through kernel panics when Btrfs send operations are performed. The vulnerability affects Linux kernel versions starting from commit c0247d289e73 and is relevant to systems using Btrfs. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2024-49869 is the potential for denial of service due to kernel panics triggered by the Btrfs send operation. Organizations relying on Btrfs for storage, backup, or replication may experience unexpected system crashes, leading to service interruptions, data unavailability, and operational disruptions. This is particularly critical for enterprises using Btrfs in production environments such as data centers, cloud providers, and infrastructure hosting critical applications. While the vulnerability does not directly lead to data breaches or privilege escalation, the availability impact can affect business continuity and service level agreements. Additionally, kernel panics can complicate incident response and recovery efforts, increasing downtime. European organizations with strict uptime requirements or those operating critical infrastructure should prioritize patching to avoid disruption. The vulnerability also highlights the importance of kernel fortification and memory safety in filesystem code, which is a common attack surface in Linux-based systems.
Mitigation Recommendations
To mitigate CVE-2024-49869, European organizations should: 1) Apply the official Linux kernel patches that fix the buffer overflow detection logic in the Btrfs send code. This involves updating to a kernel version that includes the fix from commit c0247d289e73 or later. 2) If immediate patching is not feasible, temporarily avoid using the Btrfs send functionality, especially in automated backup or replication workflows, to prevent triggering the kernel panic. 3) Monitor kernel logs for fortify_report warnings or splat messages related to strcpy buffer overflows in Btrfs operations as early indicators of attempted exploitation or accidental triggers. 4) Conduct thorough testing of kernel updates in staging environments before deployment to ensure stability and compatibility. 5) Maintain robust backup and recovery procedures to minimize impact from potential system crashes. 6) Consider using alternative filesystems for critical workloads if Btrfs usage is extensive and patching is delayed. 7) Engage with Linux distribution vendors for timely security updates and advisories related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.019Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe081a
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 8:56:38 PM
Last updated: 8/16/2025, 5:20:23 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.