Bug 2309794 (CVE-2024-44963) - CVE-2024-44963 kernel: btrfs: do not BUG_ON() when freeing tree block after error
Summary: CVE-2024-44963 kernel: btrfs: do not BUG_ON() when freeing tree block after e...
Keywords:
Status: NEW
Alias: CVE-2024-44963
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2309829
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-04 19:21 UTC by OSIDB Bzimport
Modified: 2024-09-04 21:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-09-04 19:21:06 UTC
In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not BUG_ON() when freeing tree block after error

When freeing a tree block, at btrfs_free_tree_block(), if we fail to
create a delayed reference we don't deal with the error and just do a
BUG_ON(). The error most likely to happen is -ENOMEM, and we have a
comment mentioning that only -ENOMEM can happen, but that is not true,
because in case qgroups are enabled any error returned from
btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned
from btrfs_search_slot() for example) can be propagated back to
btrfs_free_tree_block().

So stop doing a BUG_ON() and return the error to the callers and make
them abort the transaction to prevent leaking space. Syzbot was
triggering this, likely due to memory allocation failure injection.


Note You need to log in before you can comment on or make changes to this bug.