{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39496", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-25T14:23:23.751Z", "datePublished": "2024-07-12T12:20:31.669Z", "dateUpdated": "2024-09-11T17:34:39.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:50:40.543Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/zoned.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "17765964703b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "092571ef9a81", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "a0cc006f4214", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "0090d6e1b210", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/zoned.c"], "versions": [{"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43"}, {"url": "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6"}, {"url": "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752"}, {"url": "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9"}], "title": "btrfs: zoned: fix use-after-free due to race with dev replace", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.593Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:07:26.275755Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:39.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.593Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:07:26.275755Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:25.052Z"}}], "cna": {"title": "btrfs: zoned: fix use-after-free due to race with dev replace", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "17765964703b", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "092571ef9a81", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "a0cc006f4214", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "0090d6e1b210", "versionType": "git"}], "programFiles": ["fs/btrfs/zoned.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "6.1.95", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.35", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.6", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/btrfs/zoned.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43"}, {"url": "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6"}, {"url": "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752"}, {"url": "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:50:40.543Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39496", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:39.782Z", "dateReserved": "2024-06-25T14:23:23.751Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:20:31.669Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "19A7A2F1-5F51-4897-8BF3-5079D28CBE9C", "versionEndExcluding": "6.1.95", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F019D15-84C0-416B-8C57-7F51B68992F0", "versionEndExcluding": "6.6.35", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0ABBBA1D-F79D-4BDB-AA41-D1EDCC4A6975", "versionEndExcluding": "6.9.6", "versionStartIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs:zoned: corrige el use-after-free debido a la ejecuci\u00f3n con el reemplazo de desarrollo. Mientras cargamos la informaci\u00f3n de una zona durante la creaci\u00f3n de un grupo de bloques, podemos ejecutar una operaci\u00f3n de reemplazo de dispositivo y luego activar un use-after-free en el dispositivo que acaba de ser reemplazado (dispositivo fuente de la operaci\u00f3n de reemplazo). Esto sucede porque en btrfs_load_zone_info() extraemos un dispositivo del mapa de fragmentos en una variable local y luego usamos el dispositivo mientras no est\u00e1 bajo la protecci\u00f3n del dispositivo y reemplazamos rwsem. Entonces, si se produce una operaci\u00f3n de reemplazo de dispositivo cuando extraemos el dispositivo y ese dispositivo es la fuente de la operaci\u00f3n de reemplazo, activaremos un use-after-free si antes de terminar de usar el dispositivo la operaci\u00f3n de reemplazo finaliza y libera el dispositivo. Solucione este problema ampliando la secci\u00f3n cr\u00edtica bajo la protecci\u00f3n del dispositivo y reemplace rwsem para que todos los usos del dispositivo se realicen dentro de la secci\u00f3n cr\u00edtica."}], "id": "CVE-2024-39496", "lastModified": "2024-07-24T19:02:36.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-12T13:15:12.253", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: btrfs: zoned: fix use-after-free due to race with dev replace", "id": "2297468", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297468"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: zoned: fix use-after-free due to race with dev replace\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section."], "name": "CVE-2024-39496", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39496\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39496\nhttps://lore.kernel.org/linux-cve-announce/2024071202-CVE-2024-39496-7948@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc1"}