In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix information leak in btrfs_ioctl_logical_to_ino()

Syzbot reported the following information leak for in
btrfs_ioctl_logical_to_ino():

BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
_copy_to_user+0xbc/0x110 lib/usercopy.c:40
copy_to_user include/linux/uaccess.h:191 [inline]
btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499
btrfs_ioctl+0x714/0x1260
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
__x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
__kmalloc_large_node+0x231/0x370 mm/slub.c:3921
__do_kmalloc_node mm/slub.c:3954 [inline]
__kmalloc_node+0xb07/0x1060 mm/slub.c:3973
kmalloc_node include/linux/slab.h:648 [inline]
kvmalloc_node+0xc0/0x2d0 mm/util.c:634
kvmalloc include/linux/slab.h:766 [inline]
init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779
btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480
btrfs_ioctl+0x714/0x1260
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
__x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 40-65535 of 65536 are uninitialized
Memory access of size 65536 starts at ffff888045a40000

This happens, because we're copying a 'struct btrfs_data_container' back
to user-space. This btrfs_data_container is allocated in
'init_data_container()' via kvmalloc(), which does not zero-fill the
memory.

Fix this by using kvzalloc() which zeroes out the memory on allocation.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3840-1 linux security update
Debian DLA Debian DLA DLA-3842-1 linux-5.10 security update
Ubuntu USN Ubuntu USN USN-6896-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6896-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6896-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6896-4 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6896-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6898-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6898-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6898-3 Linux kernel kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6898-4 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6917-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6919-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6927-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6949-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6949-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6952-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-6955-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7019-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7796-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7797-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7796-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7796-3 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-7797-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7796-4 Linux kernel (Azure FIPS) kernel vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 03 Feb 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
Linux
Linux linux Kernel
Weaknesses CWE-908
CPEs cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux
Linux
Linux linux Kernel
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2025-05-04T09:06:47.671Z

Reserved: 2024-05-17T13:50:33.105Z

Link: CVE-2024-35849

cve-icon Vulnrichment

Updated: 2024-08-02T03:21:48.438Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-17T15:15:21.777

Modified: 2025-02-03T16:23:16.717

Link: CVE-2024-35849

cve-icon Redhat

Severity : Low

Publid Date: 2024-05-17T00:00:00Z

Links: CVE-2024-35849 - Bugzilla

cve-icon OpenCVE Enrichment

No data.