{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35956", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.136Z", "datePublished": "2024-05-20T09:41:49.261Z", "dateUpdated": "2024-12-19T08:59:03.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:59:03.206Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n   results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n   transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/inode.c", "fs/btrfs/ioctl.c", "fs/btrfs/root-tree.c", "fs/btrfs/root-tree.h"], "versions": [{"version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "945559be6e282a812dc48f7bcd5adc60901ea4a0", "status": "affected", "versionType": "git"}, {"version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "14431815a4ae4bcd7c7a68b6a64c66c7712d27c9", "status": "affected", "versionType": "git"}, {"version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "6c95336f5d8eb9ab79cd7306d71b6d0477363f8c", "status": "affected", "versionType": "git"}, {"version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "74e97958121aa1f5854da6effba70143f051b0cd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/inode.c", "fs/btrfs/ioctl.c", "fs/btrfs/root-tree.c", "fs/btrfs/root-tree.h"], "versions": [{"version": "5.10", "status": "affected"}, {"version": "0", "lessThan": "5.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.120", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.28", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.7", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/945559be6e282a812dc48f7bcd5adc60901ea4a0"}, {"url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9"}, {"url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c"}, {"url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd"}], "title": "btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-20T15:09:45.663263Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:12.385Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:49.097Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:49.097Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-20T15:09:45.663263Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:24.915Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "945559be6e282a812dc48f7bcd5adc60901ea4a0", "versionType": "git"}, {"status": "affected", "version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "14431815a4ae4bcd7c7a68b6a64c66c7712d27c9", "versionType": "git"}, {"status": "affected", "version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "6c95336f5d8eb9ab79cd7306d71b6d0477363f8c", "versionType": "git"}, {"status": "affected", "version": "e85fde5162bf1b242cbd6daf7dba0f9b457d592b", "lessThan": "74e97958121aa1f5854da6effba70143f051b0cd", "versionType": "git"}], "programFiles": ["fs/btrfs/inode.c", "fs/btrfs/ioctl.c", "fs/btrfs/root-tree.c", "fs/btrfs/root-tree.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.10"}, {"status": "unaffected", "version": "0", "lessThan": "5.10", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.120", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.28", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.7", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/btrfs/inode.c", "fs/btrfs/ioctl.c", "fs/btrfs/root-tree.c", "fs/btrfs/root-tree.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/945559be6e282a812dc48f7bcd5adc60901ea4a0"}, {"url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9"}, {"url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c"}, {"url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n   results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n   transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:59:03.206Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35956", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:59:03.206Z", "dateReserved": "2024-05-17T13:50:33.136Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-20T09:41:49.261Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n   results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n   transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: qgroup: corrige la fuga de rsv prealloc de qgroup en operaciones de subvolumen Crear subvolumen, crear instant\u00e1nea y eliminar subvolumen, todos usan btrfs_subvolume_reserve_metadata() para reservar metadatos para los cambios realizados en el \u00e1rbol fs del subvolumen principal , que no se puede mediar de la forma normal a trav\u00e9s de start_transaction. Cuando los grupos de cuotas (squota o qgroups) est\u00e1n habilitados, esto reserva metadatos de qgroup de tipo PREALLOC. Una vez asociada la operaci\u00f3n a una transacci\u00f3n, convertimos PREALLOC a PERTRANS, que se compensa de forma masiva al final de la transacci\u00f3n. Sin embargo, las rutas de error de estas tres operaciones no implementaban este ciclo de vida correctamente. Convirtieron incondicionalmente PREALLOC a PERTRANS en un paso de limpieza gen\u00e9rico, independientemente de los errores o de si la operaci\u00f3n estaba completamente asociada a una transacci\u00f3n o no. Esto result\u00f3 en rutas de error que ocasionalmente convert\u00edan este rsv a PERTRANS sin llamar exitosamente a record_root_in_trans, lo que significaba que, a menos que alg\u00fan otro hilo registrara esa ra\u00edz en la transacci\u00f3n, el final de la transacci\u00f3n no liberar\u00eda el PERTRANS de esa ra\u00edz, filtr\u00e1ndolo. En \u00faltima instancia, esto result\u00f3 en un aviso de ADVERTENCIA en las compilaciones CONFIG_BTRFS_DEBUG al desmontar la reserva filtrada. La soluci\u00f3n es garantizar que cada reserva PREALLOC de qgroup observe las siguientes propiedades: 1. cualquier falla antes de que se llame exitosamente a record_root_in_trans resulta en la liberaci\u00f3n de la reserva PREALLOC. 2. despu\u00e9s de record_root_in_trans, convertimos a PERTRANS, y ahora la transacci\u00f3n es due\u00f1a de la reserva. Este parche aplica esas propiedades en las tres operaciones. Sin \u00e9l, generic/269 con cuotas habilitadas en el momento mkfs fallar\u00eda en ~5-10 ejecuciones en mi sistema. Con este parche, se ejecut\u00f3 exitosamente 1000 veces seguidas."}], "id": "CVE-2024-35956", "lastModified": "2024-12-14T21:15:18.477", "metrics": {}, "published": "2024-05-20T10:15:10.920", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/945559be6e282a812dc48f7bcd5adc60901ea4a0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations", "id": "2281929", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281929"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n1. any failure before record_root_in_trans is called successfully\nresults in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\ntransaction owns freeing the reservation.\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow."], "name": "CVE-2024-35956", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35956\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35956\nhttps://lore.kernel.org/linux-cve-announce/2024052018-CVE-2024-35956-3c25@gregkh/T"], "threat_severity": "Low"}