CVE-2024-50118: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: reject ro->rw reconfiguration if there are hard ro requirements [BUG] Syzbot reports the following crash: BTRFS info (device loop0 state MCS): disabling free space tree BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1) BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2) Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline] RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041 Call Trace: <TASK> btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530 btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312 btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012 btrfs_remount_rw fs/btrfs/super.c:1309 [inline] btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534 btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline] btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline] btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115 vfs_get_tree+0x90/0x2b0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSE] To support mounting different subvolume with different RO/RW flags for the new mount APIs, btrfs introduced two workaround to support this feature: - Skip mount option/feature checks if we are mounting a different subvolume - Reconfigure the fs to RW if the initial mount is RO Combining these two, we can have the following sequence: - Mount the fs ro,rescue=all,clear_cache,space_cache=v1 rescue=all will mark the fs as hard read-only, so no v2 cache clearing will happen. - Mount a subvolume rw of the same fs. We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY because our new fc is RW, different from the original fs. Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag first so that we can grab the existing fs_info. Then we reconfigure the fs to RW. - During reconfiguration, option/features check is skipped This means we will restart the v2 cache clearing, and convert back to v1 cache. This will trigger fs writes, and since the original fs has "rescue=all" option, it skips the csum tree read. And eventually causing NULL pointer dereference in super block writeback. [FIX] For reconfiguration caused by different subvolume RO/RW flags, ensure we always run btrfs_check_options() to ensure we have proper hard RO requirements met. In fact the function btrfs_check_options() doesn't really do many complex checks, but hard RO requirement and some feature dependency checks, thus there is no special reason not to do the check for mount reconfiguration.
AI Analysis
Technical Summary
CVE-2024-50118 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to the handling of read-only (RO) to read-write (RW) reconfiguration during mount operations involving subvolumes. Btrfs introduced features to allow mounting different subvolumes with different RO/RW flags, which required certain workarounds. Specifically, when a filesystem is initially mounted as read-only with hard RO requirements (e.g., using the 'rescue=all' mount option), and then a subvolume is mounted as read-write, the kernel attempts to reconfigure the filesystem state from RO to RW. During this reconfiguration, the kernel skips certain mount option and feature checks, which leads to an inconsistent state where the filesystem attempts to clear or convert cache trees improperly. This triggers writes to the filesystem superblock without proper validation, resulting in a NULL pointer dereference and a general protection fault (kernel crash). The root cause is that the function btrfs_check_options(), which enforces hard RO requirements and feature dependencies, is not called during the reconfiguration triggered by mounting subvolumes with different RO/RW flags. The fix ensures that btrfs_check_options() is always called during such reconfigurations to prevent violating hard RO constraints. This vulnerability can cause a denial of service (DoS) by crashing the kernel when the affected sequence of mount operations is performed. It affects Linux kernel versions containing the specified commit hashes and is relevant to systems using Btrfs with subvolume mounts and specific mount options like 'rescue=all'. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily as a denial-of-service attack vector against Linux systems using Btrfs filesystems with subvolume mounts and specific read-only mount options. Organizations relying on Btrfs for critical storage, especially those using advanced mount options or subvolume configurations, could experience kernel crashes leading to system downtime, data unavailability, and potential disruption of services. This is particularly impactful for data centers, cloud providers, and enterprises running Linux-based infrastructure with Btrfs. While the vulnerability does not directly lead to privilege escalation or data corruption, the resulting kernel panic can interrupt operations and require system reboots, affecting availability. Given the widespread use of Linux in European public sector, financial institutions, and technology companies, the vulnerability could impact critical infrastructure if exploited or triggered unintentionally during maintenance or automated mount operations. The absence of known exploits reduces immediate risk, but the complexity of the issue means that misconfiguration or automated scripts could inadvertently trigger the fault, causing operational disruptions.
Mitigation Recommendations
European organizations should apply the following specific mitigations: 1) Update Linux kernels to versions containing the patch that ensures btrfs_check_options() is called during RO to RW reconfiguration, as soon as vendor patches become available. 2) Audit and review Btrfs mount configurations, especially those using 'rescue=all' or similar hard RO options, to avoid mounting subvolumes with conflicting RO/RW flags that trigger reconfiguration. 3) Implement monitoring for kernel oops and crashes related to Btrfs to detect potential triggering of this vulnerability. 4) In environments where immediate patching is not possible, avoid using the problematic mount option combinations or subvolume mount sequences that lead to reconfiguration. 5) Test mount operations involving Btrfs subvolumes in staging environments to detect any crashes before deploying changes in production. 6) Engage with Linux distribution vendors for timely updates and guidance on this vulnerability. These steps go beyond generic advice by focusing on configuration review, operational monitoring, and controlled testing of Btrfs mount behaviors.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-50118: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: reject ro->rw reconfiguration if there are hard ro requirements [BUG] Syzbot reports the following crash: BTRFS info (device loop0 state MCS): disabling free space tree BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1) BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2) Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline] RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041 Call Trace: <TASK> btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530 btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312 btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012 btrfs_remount_rw fs/btrfs/super.c:1309 [inline] btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534 btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline] btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline] btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115 vfs_get_tree+0x90/0x2b0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSE] To support mounting different subvolume with different RO/RW flags for the new mount APIs, btrfs introduced two workaround to support this feature: - Skip mount option/feature checks if we are mounting a different subvolume - Reconfigure the fs to RW if the initial mount is RO Combining these two, we can have the following sequence: - Mount the fs ro,rescue=all,clear_cache,space_cache=v1 rescue=all will mark the fs as hard read-only, so no v2 cache clearing will happen. - Mount a subvolume rw of the same fs. We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY because our new fc is RW, different from the original fs. Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag first so that we can grab the existing fs_info. Then we reconfigure the fs to RW. - During reconfiguration, option/features check is skipped This means we will restart the v2 cache clearing, and convert back to v1 cache. This will trigger fs writes, and since the original fs has "rescue=all" option, it skips the csum tree read. And eventually causing NULL pointer dereference in super block writeback. [FIX] For reconfiguration caused by different subvolume RO/RW flags, ensure we always run btrfs_check_options() to ensure we have proper hard RO requirements met. In fact the function btrfs_check_options() doesn't really do many complex checks, but hard RO requirement and some feature dependency checks, thus there is no special reason not to do the check for mount reconfiguration.
AI-Powered Analysis
Technical Analysis
CVE-2024-50118 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to the handling of read-only (RO) to read-write (RW) reconfiguration during mount operations involving subvolumes. Btrfs introduced features to allow mounting different subvolumes with different RO/RW flags, which required certain workarounds. Specifically, when a filesystem is initially mounted as read-only with hard RO requirements (e.g., using the 'rescue=all' mount option), and then a subvolume is mounted as read-write, the kernel attempts to reconfigure the filesystem state from RO to RW. During this reconfiguration, the kernel skips certain mount option and feature checks, which leads to an inconsistent state where the filesystem attempts to clear or convert cache trees improperly. This triggers writes to the filesystem superblock without proper validation, resulting in a NULL pointer dereference and a general protection fault (kernel crash). The root cause is that the function btrfs_check_options(), which enforces hard RO requirements and feature dependencies, is not called during the reconfiguration triggered by mounting subvolumes with different RO/RW flags. The fix ensures that btrfs_check_options() is always called during such reconfigurations to prevent violating hard RO constraints. This vulnerability can cause a denial of service (DoS) by crashing the kernel when the affected sequence of mount operations is performed. It affects Linux kernel versions containing the specified commit hashes and is relevant to systems using Btrfs with subvolume mounts and specific mount options like 'rescue=all'. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily as a denial-of-service attack vector against Linux systems using Btrfs filesystems with subvolume mounts and specific read-only mount options. Organizations relying on Btrfs for critical storage, especially those using advanced mount options or subvolume configurations, could experience kernel crashes leading to system downtime, data unavailability, and potential disruption of services. This is particularly impactful for data centers, cloud providers, and enterprises running Linux-based infrastructure with Btrfs. While the vulnerability does not directly lead to privilege escalation or data corruption, the resulting kernel panic can interrupt operations and require system reboots, affecting availability. Given the widespread use of Linux in European public sector, financial institutions, and technology companies, the vulnerability could impact critical infrastructure if exploited or triggered unintentionally during maintenance or automated mount operations. The absence of known exploits reduces immediate risk, but the complexity of the issue means that misconfiguration or automated scripts could inadvertently trigger the fault, causing operational disruptions.
Mitigation Recommendations
European organizations should apply the following specific mitigations: 1) Update Linux kernels to versions containing the patch that ensures btrfs_check_options() is called during RO to RW reconfiguration, as soon as vendor patches become available. 2) Audit and review Btrfs mount configurations, especially those using 'rescue=all' or similar hard RO options, to avoid mounting subvolumes with conflicting RO/RW flags that trigger reconfiguration. 3) Implement monitoring for kernel oops and crashes related to Btrfs to detect potential triggering of this vulnerability. 4) In environments where immediate patching is not possible, avoid using the problematic mount option combinations or subvolume mount sequences that lead to reconfiguration. 5) Test mount operations involving Btrfs subvolumes in staging environments to detect any crashes before deploying changes in production. 6) Engage with Linux distribution vendors for timely updates and guidance on this vulnerability. These steps go beyond generic advice by focusing on configuration review, operational monitoring, and controlled testing of Btrfs mount behaviors.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.948Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbdffd6
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 5:26:49 PM
Last updated: 8/16/2025, 12:12:39 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.