{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-50118", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T19:36:19.948Z", "datePublished": "2024-11-05T17:10:48.641Z", "dateUpdated": "2025-10-01T20:27:16.647Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:46:26.613Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject ro->rw reconfiguration if there are hard ro requirements\n\n[BUG]\nSyzbot reports the following crash:\n\n BTRFS info (device loop0 state MCS): disabling free space tree\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]\n RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041\n Call Trace:\n <TASK>\n btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530\n btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312\n btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012\n btrfs_remount_rw fs/btrfs/super.c:1309 [inline]\n btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534\n btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]\n btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115\n vfs_get_tree+0x90/0x2b0 fs/super.c:1800\n do_new_mount+0x2be/0xb40 fs/namespace.c:3472\n do_mount fs/namespace.c:3812 [inline]\n __do_sys_mount fs/namespace.c:4020 [inline]\n __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nTo support mounting different subvolume with different RO/RW flags for\nthe new mount APIs, btrfs introduced two workaround to support this feature:\n\n- Skip mount option/feature checks if we are mounting a different\n subvolume\n\n- Reconfigure the fs to RW if the initial mount is RO\n\nCombining these two, we can have the following sequence:\n\n- Mount the fs ro,rescue=all,clear_cache,space_cache=v1\n rescue=all will mark the fs as hard read-only, so no v2 cache clearing\n will happen.\n\n- Mount a subvolume rw of the same fs.\n We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY\n because our new fc is RW, different from the original fs.\n\n Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag\n first so that we can grab the existing fs_info.\n Then we reconfigure the fs to RW.\n\n- During reconfiguration, option/features check is skipped\n This means we will restart the v2 cache clearing, and convert back to\n v1 cache.\n This will trigger fs writes, and since the original fs has \"rescue=all\"\n option, it skips the csum tree read.\n\n And eventually causing NULL pointer dereference in super block\n writeback.\n\n[FIX]\nFor reconfiguration caused by different subvolume RO/RW flags, ensure we\nalways run btrfs_check_options() to ensure we have proper hard RO\nrequirements met.\n\nIn fact the function btrfs_check_options() doesn't really do many\ncomplex checks, but hard RO requirement and some feature dependency\nchecks, thus there is no special reason not to do the check for mount\nreconfiguration."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/super.c"], "versions": [{"version": "f044b318675f0347ecfb88377542651ba4eb9e1f", "lessThan": "23724398b55d9570f6ae79dd2ea026fff8896bf1", "status": "affected", "versionType": "git"}, {"version": "f044b318675f0347ecfb88377542651ba4eb9e1f", "lessThan": "3c36a72c1d27de6618c1c480c793d9924640f5bb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/super.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.6", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.11.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1"}, {"url": "https://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb"}], "title": "btrfs: reject ro->rw reconfiguration if there are hard ro requirements", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-50118", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T20:21:46.566207Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T20:27:16.647Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-50118", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T20:21:46.566207Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T15:16:12.253Z"}}], "cna": {"title": "btrfs: reject ro->rw reconfiguration if there are hard ro requirements", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "f044b318675f0347ecfb88377542651ba4eb9e1f", "lessThan": "23724398b55d9570f6ae79dd2ea026fff8896bf1", "versionType": "git"}, {"status": "affected", "version": "f044b318675f0347ecfb88377542651ba4eb9e1f", "lessThan": "3c36a72c1d27de6618c1c480c793d9924640f5bb", "versionType": "git"}], "programFiles": ["fs/btrfs/super.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.8"}, {"status": "unaffected", "version": "0", "lessThan": "6.8", "versionType": "semver"}, {"status": "unaffected", "version": "6.11.6", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/btrfs/super.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1"}, {"url": "https://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject ro->rw reconfiguration if there are hard ro requirements\n\n[BUG]\nSyzbot reports the following crash:\n\n BTRFS info (device loop0 state MCS): disabling free space tree\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]\n RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041\n Call Trace:\n <TASK>\n btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530\n btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312\n btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012\n btrfs_remount_rw fs/btrfs/super.c:1309 [inline]\n btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534\n btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]\n btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115\n vfs_get_tree+0x90/0x2b0 fs/super.c:1800\n do_new_mount+0x2be/0xb40 fs/namespace.c:3472\n do_mount fs/namespace.c:3812 [inline]\n __do_sys_mount fs/namespace.c:4020 [inline]\n __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nTo support mounting different subvolume with different RO/RW flags for\nthe new mount APIs, btrfs introduced two workaround to support this feature:\n\n- Skip mount option/feature checks if we are mounting a different\n subvolume\n\n- Reconfigure the fs to RW if the initial mount is RO\n\nCombining these two, we can have the following sequence:\n\n- Mount the fs ro,rescue=all,clear_cache,space_cache=v1\n rescue=all will mark the fs as hard read-only, so no v2 cache clearing\n will happen.\n\n- Mount a subvolume rw of the same fs.\n We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY\n because our new fc is RW, different from the original fs.\n\n Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag\n first so that we can grab the existing fs_info.\n Then we reconfigure the fs to RW.\n\n- During reconfiguration, option/features check is skipped\n This means we will restart the v2 cache clearing, and convert back to\n v1 cache.\n This will trigger fs writes, and since the original fs has \"rescue=all\"\n option, it skips the csum tree read.\n\n And eventually causing NULL pointer dereference in super block\n writeback.\n\n[FIX]\nFor reconfiguration caused by different subvolume RO/RW flags, ensure we\nalways run btrfs_check_options() to ensure we have proper hard RO\nrequirements met.\n\nIn fact the function btrfs_check_options() doesn't really do many\ncomplex checks, but hard RO requirement and some feature dependency\nchecks, thus there is no special reason not to do the check for mount\nreconfiguration."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11.6", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12", "versionStartIncluding": "6.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:46:26.613Z"}}}, "cveMetadata": {"cveId": "CVE-2024-50118", "state": "PUBLISHED", "dateUpdated": "2025-10-01T20:27:16.647Z", "dateReserved": "2024-10-21T19:36:19.948Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-11-05T17:10:48.641Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CAA29A6-36B4-4C90-A862-A816F65153DB", "versionEndExcluding": "6.11.6", "versionStartIncluding": "6.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject ro->rw reconfiguration if there are hard ro requirements\n\n[BUG]\nSyzbot reports the following crash:\n\n BTRFS info (device loop0 state MCS): disabling free space tree\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]\n RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041\n Call Trace:\n <TASK>\n btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530\n btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312\n btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012\n btrfs_remount_rw fs/btrfs/super.c:1309 [inline]\n btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534\n btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]\n btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115\n vfs_get_tree+0x90/0x2b0 fs/super.c:1800\n do_new_mount+0x2be/0xb40 fs/namespace.c:3472\n do_mount fs/namespace.c:3812 [inline]\n __do_sys_mount fs/namespace.c:4020 [inline]\n __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nTo support mounting different subvolume with different RO/RW flags for\nthe new mount APIs, btrfs introduced two workaround to support this feature:\n\n- Skip mount option/feature checks if we are mounting a different\n subvolume\n\n- Reconfigure the fs to RW if the initial mount is RO\n\nCombining these two, we can have the following sequence:\n\n- Mount the fs ro,rescue=all,clear_cache,space_cache=v1\n rescue=all will mark the fs as hard read-only, so no v2 cache clearing\n will happen.\n\n- Mount a subvolume rw of the same fs.\n We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY\n because our new fc is RW, different from the original fs.\n\n Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag\n first so that we can grab the existing fs_info.\n Then we reconfigure the fs to RW.\n\n- During reconfiguration, option/features check is skipped\n This means we will restart the v2 cache clearing, and convert back to\n v1 cache.\n This will trigger fs writes, and since the original fs has \"rescue=all\"\n option, it skips the csum tree read.\n\n And eventually causing NULL pointer dereference in super block\n writeback.\n\n[FIX]\nFor reconfiguration caused by different subvolume RO/RW flags, ensure we\nalways run btrfs_check_options() to ensure we have proper hard RO\nrequirements met.\n\nIn fact the function btrfs_check_options() doesn't really do many\ncomplex checks, but hard RO requirement and some feature dependency\nchecks, thus there is no special reason not to do the check for mount\nreconfiguration."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: rechazar la reconfiguraci\u00f3n de ro-&gt;rw si hay requisitos de ro estrictos [ERROR]. Syzbot informa del siguiente fallo: Informaci\u00f3n de BTRFS (estado de loop0 del dispositivo MCS): deshabilitar el \u00e1rbol de espacio libre Informaci\u00f3n de BTRFS (estado de loop0 del dispositivo MCS): borrando el indicador de funci\u00f3n de compatibilidad para FREE_SPACE_TREE (0x1) Informaci\u00f3n de BTRFS (estado de loop0 del dispositivo MCS): borrando el indicador de funci\u00f3n de compatibilidad para FREE_SPACE_TREE_VALID (0x2) Vaya: error de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref en el rango [0x000000000000018-0x000000000000001f] Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 01/04/2014 RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [en l\u00ednea] RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041 Seguimiento de llamadas: btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530 btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312 btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012 btrfs_remount_rw fs/btrfs/super.c:1309 [en l\u00ednea] btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534 btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [en l\u00ednea] btrfs_get_tree_subvol fs/btrfs/super.c:2079 [en l\u00ednea] btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115 vfs_get_tree+0x90/0x2b0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [en l\u00ednea] __do_sys_mount fs/namespace.c:4020 [en l\u00ednea] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSA] Para admitir el montaje de diferentes subvol\u00famenes con diferentes indicadores RO/RW para las nuevas API de montaje, btrfs introdujo dos workarounds para admitir esta funci\u00f3n: - Omitir las comprobaciones de opciones/funciones de montaje si estamos montando un subvolumen diferente - Reconfigurar el fs a RW si el montaje inicial es RO Combinando estos dos, podemos tener la siguiente secuencia: - Montar el fs ro,rescue=all,clear_cache,space_cache=v1 rescue=all marcar\u00e1 el fs como de solo lectura, por lo que no se borrar\u00e1 la cach\u00e9 v2. - Montar un subvolumen rw del mismo fs. Entramos en btrfs_get_tree_subvol(), pero fc_mount() devuelve EBUSY porque nuestro nuevo fc es RW, diferente del fs original. Ahora ingresamos btrfs_reconfigure_for_mount(), que cambia el indicador RO primero para que podamos obtener el fs_info existente. Luego reconfiguramos el fs a RW. - Durante la reconfiguraci\u00f3n, se omite la verificaci\u00f3n de opciones/caracter\u00edsticas Esto significa que reiniciaremos el borrado de la cach\u00e9 v2 y volveremos a la cach\u00e9 v1. Esto activar\u00e1 escrituras en el sistema de archivos y, dado que el sistema de archivos original tiene la opci\u00f3n \"rescue=all\", omite la lectura del \u00e1rbol csum. Y, eventualmente, provoca la desreferencia del puntero NULL en la reescritura del superbloque. [SOLUCI\u00d3N] Para la reconfiguraci\u00f3n causada por diferentes indicadores de RO/RW de subvolumen, aseg\u00farese de que siempre ejecutamos btrfs_check_options() para garantizar que se cumplan los requisitos de RO estrictos adecuados. De hecho, la funci\u00f3n btrfs_check_options() no realiza muchas comprobaciones complejas, sino requisitos de RO estrictos y algunas comprobaciones de dependencia de funciones, por lo que no hay ninguna raz\u00f3n especial para no realizar la comprobaci\u00f3n para la reconfiguraci\u00f3n del montaje."}], "id": "CVE-2024-50118", "lastModified": "2025-10-01T21:15:49.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-05T18:15:14.887", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: btrfs: reject ro->rw reconfiguration if there are hard ro requirements", "id": "2323936", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2323936"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: reject ro->rw reconfiguration if there are hard ro requirements\n[BUG]\nSyzbot reports the following crash:\nBTRFS info (device loop0 state MCS): disabling free space tree\nBTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)\nBTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]\nRIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041\nCall Trace:\n<TASK>\nbtrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530\nbtrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312\nbtrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012\nbtrfs_remount_rw fs/btrfs/super.c:1309 [inline]\nbtrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534\nbtrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]\nbtrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]\nbtrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115\nvfs_get_tree+0x90/0x2b0 fs/super.c:1800\ndo_new_mount+0x2be/0xb40 fs/namespace.c:3472\ndo_mount fs/namespace.c:3812 [inline]\n__do_sys_mount fs/namespace.c:4020 [inline]\n__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n[CAUSE]\nTo support mounting different subvolume with different RO/RW flags for\nthe new mount APIs, btrfs introduced two workaround to support this feature:\n- Skip mount option/feature checks if we are mounting a different\nsubvolume\n- Reconfigure the fs to RW if the initial mount is RO\nCombining these two, we can have the following sequence:\n- Mount the fs ro,rescue=all,clear_cache,space_cache=v1\nrescue=all will mark the fs as hard read-only, so no v2 cache clearing\nwill happen.\n- Mount a subvolume rw of the same fs.\nWe go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY\nbecause our new fc is RW, different from the original fs.\nNow we enter btrfs_reconfigure_for_mount(), which switches the RO flag\nfirst so that we can grab the existing fs_info.\nThen we reconfigure the fs to RW.\n- During reconfiguration, option/features check is skipped\nThis means we will restart the v2 cache clearing, and convert back to\nv1 cache.\nThis will trigger fs writes, and since the original fs has \"rescue=all\"\noption, it skips the csum tree read.\nAnd eventually causing NULL pointer dereference in super block\nwriteback.\n[FIX]\nFor reconfiguration caused by different subvolume RO/RW flags, ensure we\nalways run btrfs_check_options() to ensure we have proper hard RO\nrequirements met.\nIn fact the function btrfs_check_options() doesn't really do many\ncomplex checks, but hard RO requirement and some feature dependency\nchecks, thus there is no special reason not to do the check for mount\nreconfiguration."], "name": "CVE-2024-50118", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-05T17:10:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-50118\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50118\nhttps://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1\nhttps://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb"], "threat_severity": "Moderate"}