{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49869", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T12:17:06.019Z", "datePublished": "2024-10-21T18:01:11.389Z", "dateUpdated": "2024-11-05T09:50:25.624Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:50:25.624Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: fix buffer overflow detection when copying path to cache entry\n\nStarting with commit c0247d289e73 (\"btrfs: send: annotate struct\nname_cache_entry with __counted_by()\") we annotated the variable length\narray \"name\" from the name_cache_entry structure with __counted_by() to\nimprove overflow detection. However that alone was not correct, because\nthe length of that array does not match the \"name_len\" field - it matches\nthat plus 1 to include the NUL string terminator, so that makes a\nfortified kernel think there's an overflow and report a splat like this:\n\n strcpy: detected buffer overflow: 20 byte write of buffer size 19\n WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50\n CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1\n Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018\n RIP: 0010:__fortify_report+0x45/0x50\n Code: 48 8b 34 (...)\n RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246\n RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027\n RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8\n RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd\n R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400\n R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8\n FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0\n Call Trace:\n <TASK>\n ? __warn+0x12a/0x1d0\n ? __fortify_report+0x45/0x50\n ? report_bug+0x154/0x1c0\n ? handle_bug+0x42/0x70\n ? exc_invalid_op+0x1a/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? __fortify_report+0x45/0x50\n __fortify_panic+0x9/0x10\n __get_cur_name_and_parent+0x3bc/0x3c0\n get_cur_path+0x207/0x3b0\n send_extent_data+0x709/0x10d0\n ? find_parent_nodes+0x22df/0x25d0\n ? mas_nomem+0x13/0x90\n ? mtree_insert_range+0xa5/0x110\n ? btrfs_lru_cache_store+0x5f/0x1e0\n ? iterate_extent_inodes+0x52d/0x5a0\n process_extent+0xa96/0x11a0\n ? __pfx_lookup_backref_cache+0x10/0x10\n ? __pfx_store_backref_cache+0x10/0x10\n ? __pfx_iterate_backrefs+0x10/0x10\n ? __pfx_check_extent_item+0x10/0x10\n changed_cb+0x6fa/0x930\n ? tree_advance+0x362/0x390\n ? memcmp_extent_buffer+0xd7/0x160\n send_subvol+0xf0a/0x1520\n btrfs_ioctl_send+0x106b/0x11d0\n ? __pfx___clone_root_cmp_sort+0x10/0x10\n _btrfs_ioctl_send+0x1ac/0x240\n btrfs_ioctl+0x75b/0x850\n __se_sys_ioctl+0xca/0x150\n do_syscall_64+0x85/0x160\n ? __count_memcg_events+0x69/0x100\n ? handle_mm_fault+0x1327/0x15c0\n ? __se_sys_rt_sigprocmask+0xf1/0x180\n ? syscall_exit_to_user_mode+0x75/0xa0\n ? do_syscall_64+0x91/0x160\n ? do_user_addr_fault+0x21d/0x630\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fae145eeb4f\n Code: 00 48 89 (...)\n RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f\n RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004\n RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927\n R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8\n R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004\n </TASK>\n\nFix this by not storing the NUL string terminator since we don't actually\nneed it for name cache entries, this way \"name_len\" corresponds to the\nactual size of the \"name\" array. This requires marking the \"name\" array\nfield with __nonstring and using memcpy() instead of strcpy() as\nrecommended by the guidelines at:\n\n https://github.com/KSPP/linux/issues/90"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/send.c"], "versions": [{"version": "c0247d289e73", "lessThan": "843738ede6cb", "status": "affected", "versionType": "git"}, {"version": "c0247d289e73", "lessThan": "96c6ca71572a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/send.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.3", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/843738ede6cb8b959fb22591fcbabe8b456d7216"}, {"url": "https://git.kernel.org/stable/c/96c6ca71572a3556ed0c37237305657ff47174b7"}], "title": "btrfs: send: fix buffer overflow detection when copying path to cache entry", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:47:11.699189Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:48:52.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:47:11.699189Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:47:15.316Z"}}], "cna": {"title": "btrfs: send: fix buffer overflow detection when copying path to cache entry", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c0247d289e73", "lessThan": "843738ede6cb", "versionType": "git"}, {"status": "affected", "version": "c0247d289e73", "lessThan": "96c6ca71572a", "versionType": "git"}], "programFiles": ["fs/btrfs/send.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.11"}, {"status": "unaffected", "version": "0", "lessThan": "6.11", "versionType": "semver"}, {"status": "unaffected", "version": "6.11.3", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12-rc2", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/btrfs/send.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/843738ede6cb8b959fb22591fcbabe8b456d7216"}, {"url": "https://git.kernel.org/stable/c/96c6ca71572a3556ed0c37237305657ff47174b7"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: fix buffer overflow detection when copying path to cache entry\n\nStarting with commit c0247d289e73 (\"btrfs: send: annotate struct\nname_cache_entry with __counted_by()\") we annotated the variable length\narray \"name\" from the name_cache_entry structure with __counted_by() to\nimprove overflow detection. However that alone was not correct, because\nthe length of that array does not match the \"name_len\" field - it matches\nthat plus 1 to include the NUL string terminator, so that makes a\nfortified kernel think there's an overflow and report a splat like this:\n\n strcpy: detected buffer overflow: 20 byte write of buffer size 19\n WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50\n CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1\n Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018\n RIP: 0010:__fortify_report+0x45/0x50\n Code: 48 8b 34 (...)\n RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246\n RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027\n RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8\n RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd\n R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400\n R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8\n FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0\n Call Trace:\n <TASK>\n ? __warn+0x12a/0x1d0\n ? __fortify_report+0x45/0x50\n ? report_bug+0x154/0x1c0\n ? handle_bug+0x42/0x70\n ? exc_invalid_op+0x1a/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? __fortify_report+0x45/0x50\n __fortify_panic+0x9/0x10\n __get_cur_name_and_parent+0x3bc/0x3c0\n get_cur_path+0x207/0x3b0\n send_extent_data+0x709/0x10d0\n ? find_parent_nodes+0x22df/0x25d0\n ? mas_nomem+0x13/0x90\n ? mtree_insert_range+0xa5/0x110\n ? btrfs_lru_cache_store+0x5f/0x1e0\n ? iterate_extent_inodes+0x52d/0x5a0\n process_extent+0xa96/0x11a0\n ? __pfx_lookup_backref_cache+0x10/0x10\n ? __pfx_store_backref_cache+0x10/0x10\n ? __pfx_iterate_backrefs+0x10/0x10\n ? __pfx_check_extent_item+0x10/0x10\n changed_cb+0x6fa/0x930\n ? tree_advance+0x362/0x390\n ? memcmp_extent_buffer+0xd7/0x160\n send_subvol+0xf0a/0x1520\n btrfs_ioctl_send+0x106b/0x11d0\n ? __pfx___clone_root_cmp_sort+0x10/0x10\n _btrfs_ioctl_send+0x1ac/0x240\n btrfs_ioctl+0x75b/0x850\n __se_sys_ioctl+0xca/0x150\n do_syscall_64+0x85/0x160\n ? __count_memcg_events+0x69/0x100\n ? handle_mm_fault+0x1327/0x15c0\n ? __se_sys_rt_sigprocmask+0xf1/0x180\n ? syscall_exit_to_user_mode+0x75/0xa0\n ? do_syscall_64+0x91/0x160\n ? do_user_addr_fault+0x21d/0x630\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fae145eeb4f\n Code: 00 48 89 (...)\n RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f\n RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004\n RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927\n R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8\n R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004\n </TASK>\n\nFix this by not storing the NUL string terminator since we don't actually\nneed it for name cache entries, this way \"name_len\" corresponds to the\nactual size of the \"name\" array. This requires marking the \"name\" array\nfield with __nonstring and using memcpy() instead of strcpy() as\nrecommended by the guidelines at:\n\n https://github.com/KSPP/linux/issues/90"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:50:25.624Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49869", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:50:25.624Z", "dateReserved": "2024-10-21T12:17:06.019Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T18:01:11.389Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: fix buffer overflow detection when copying path to cache entry\n\nStarting with commit c0247d289e73 (\"btrfs: send: annotate struct\nname_cache_entry with __counted_by()\") we annotated the variable length\narray \"name\" from the name_cache_entry structure with __counted_by() to\nimprove overflow detection. However that alone was not correct, because\nthe length of that array does not match the \"name_len\" field - it matches\nthat plus 1 to include the NUL string terminator, so that makes a\nfortified kernel think there's an overflow and report a splat like this:\n\n strcpy: detected buffer overflow: 20 byte write of buffer size 19\n WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50\n CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1\n Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018\n RIP: 0010:__fortify_report+0x45/0x50\n Code: 48 8b 34 (...)\n RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246\n RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027\n RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8\n RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd\n R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400\n R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8\n FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0\n Call Trace:\n <TASK>\n ? __warn+0x12a/0x1d0\n ? __fortify_report+0x45/0x50\n ? report_bug+0x154/0x1c0\n ? handle_bug+0x42/0x70\n ? exc_invalid_op+0x1a/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? __fortify_report+0x45/0x50\n __fortify_panic+0x9/0x10\n __get_cur_name_and_parent+0x3bc/0x3c0\n get_cur_path+0x207/0x3b0\n send_extent_data+0x709/0x10d0\n ? find_parent_nodes+0x22df/0x25d0\n ? mas_nomem+0x13/0x90\n ? mtree_insert_range+0xa5/0x110\n ? btrfs_lru_cache_store+0x5f/0x1e0\n ? iterate_extent_inodes+0x52d/0x5a0\n process_extent+0xa96/0x11a0\n ? __pfx_lookup_backref_cache+0x10/0x10\n ? __pfx_store_backref_cache+0x10/0x10\n ? __pfx_iterate_backrefs+0x10/0x10\n ? __pfx_check_extent_item+0x10/0x10\n changed_cb+0x6fa/0x930\n ? tree_advance+0x362/0x390\n ? memcmp_extent_buffer+0xd7/0x160\n send_subvol+0xf0a/0x1520\n btrfs_ioctl_send+0x106b/0x11d0\n ? __pfx___clone_root_cmp_sort+0x10/0x10\n _btrfs_ioctl_send+0x1ac/0x240\n btrfs_ioctl+0x75b/0x850\n __se_sys_ioctl+0xca/0x150\n do_syscall_64+0x85/0x160\n ? __count_memcg_events+0x69/0x100\n ? handle_mm_fault+0x1327/0x15c0\n ? __se_sys_rt_sigprocmask+0xf1/0x180\n ? syscall_exit_to_user_mode+0x75/0xa0\n ? do_syscall_64+0x91/0x160\n ? do_user_addr_fault+0x21d/0x630\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fae145eeb4f\n Code: 00 48 89 (...)\n RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f\n RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004\n RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927\n R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8\n R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004\n </TASK>\n\nFix this by not storing the NUL string terminator since we don't actually\nneed it for name cache entries, this way \"name_len\" corresponds to the\nactual size of the \"name\" array. This requires marking the \"name\" array\nfield with __nonstring and using memcpy() instead of strcpy() as\nrecommended by the guidelines at:\n\n https://github.com/KSPP/linux/issues/90"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: send: corrige la detecci\u00f3n de desbordamiento de b\u00fafer al copiar la ruta a la entrada de cach\u00e9 A partir de el commit c0247d289e73 (\"btrfs: send: annotate struct name_cache_entry with __counted_by()\"), anotamos la matriz de longitud variable \"name\" de la estructura name_cache_entry con __counted_by() para mejorar la detecci\u00f3n de desbordamiento. Sin embargo, eso solo no era correcto, porque la longitud de esa matriz no coincide con el campo \"name_len\" - coincide con eso m\u00e1s 1 para incluir el terminador de cadena NUL, por lo que hace que un kernel fortificado piense que hay un desbordamiento e informe un splat como este: strcpy: desbordamiento de b\u00fafer detectado: escritura de 20 bytes de tama\u00f1o de b\u00fafer 19 ADVERTENCIA: CPU: 3 PID: 3310 en __fortify_report+0x45/0x50 CPU: 3 UID: 0 PID: 3310 Comm: btrfs No contaminado 6.11.0-prnet #1 Nombre del hardware: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 15/03/2018 RIP: 0010:__fortify_report+0x45/0x50 C\u00f3digo: 48 8b 34 (...) RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246 RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027 RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8 RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400 R13: 0000000000000000 R14: 0000000000000013 R15: 000000000000003a8 FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0 Seguimiento de llamadas: ? __warn+0x12a/0x1d0 ? __fortify_report+0x45/0x50 ? report_bug+0x154/0x1c0 ? handle_bug+0x42/0x70 ? exc_invalid_op+0x1a/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? __fortify_report+0x45/0x50 __fortify_panic+0x9/0x10 __get_cur_name_and_parent_+0x3bc/0x3c0 get_cur_path+0x207/0x3b0 send_extent_data+0x709/0x10d0 ? find_parent_nodes+0x22df/0x25d0 ? mas_nomem+0x13/0x90 ? mtree_insert_range+0xa5/0x110 ? btrfs_lru_cache_store+0x5f/0x1e0 ? iterate_extent_inodes+0x52d/0x5a0 process_extent+0xa96/0x11a0 ? __pfx_lookup_backref_cache+0x10/0x10 ? __pfx_store_backref_cache+0x10/0x10 ? __pfx_iterate_backrefs+0x10/0x10 ? __pfx_check_extent_item+0x10/0x10 changed_cb+0x6fa/0x930 ? tree_advance+0x362/0x390 ? __pfx___clone_root_cmp_sort+0x10/0x10 _btrfs_ioctl_send+0x1ac/0x240 btrfs_ioctl+0x75b/0x850 __se_sys_ioctl+0xca/0x150 do_syscall_64+0x85/0x160 ? __count_memcg_events+0x69/0x100 ? handle_mm_fault+0x1327/0x15c0 ? __se_sys_rt_sigprocmask+0xf1/0x180 ? syscall_exit_to_user_mode+0x75/0xa0 ? do_syscall_64+0x91/0x160 ? do_user_addr_fault+0x21d/0x630 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fae145eeb4f C\u00f3digo: 00 48 89 (...) RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004 RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927 R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8 R13: 000000000000003 R14: 000055c499fab2e0 R15: 000000000000004 Solucione esto al no almacenar el terminador de cadena NUL ya que en realidad no lo necesitamos para las entradas de cach\u00e9 de nombres, de esta manera \"name_len\" corresponde al tama\u00f1o real de la matriz \"name\". Esto requiere marcar el campo de matriz \"nombre\" con __nonstring y usar memcpy() en lugar de strcpy() como lo recomiendan las pautas en: https://github.com/KSPP/linux/issues/90"}], "id": "CVE-2024-49869", "lastModified": "2024-10-24T20:28:21.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T18:15:08.340", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/843738ede6cb8b959fb22591fcbabe8b456d7216"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/96c6ca71572a3556ed0c37237305657ff47174b7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: btrfs: send: fix buffer overflow detection when copying path to cache entry", "id": "2320578", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320578"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: send: fix buffer overflow detection when copying path to cache entry\nStarting with commit c0247d289e73 (\"btrfs: send: annotate struct\nname_cache_entry with __counted_by()\") we annotated the variable length\narray \"name\" from the name_cache_entry structure with __counted_by() to\nimprove overflow detection. However that alone was not correct, because\nthe length of that array does not match the \"name_len\" field - it matches\nthat plus 1 to include the NUL string terminator, so that makes a\nfortified kernel think there's an overflow and report a splat like this:\nstrcpy: detected buffer overflow: 20 byte write of buffer size 19\nWARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50\nCPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1\nHardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018\nRIP: 0010:__fortify_report+0x45/0x50\nCode: 48 8b 34 (...)\nRSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246\nRAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027\nRDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8\nRBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd\nR10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400\nR13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8\nFS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? __warn+0x12a/0x1d0\n? __fortify_report+0x45/0x50\n? report_bug+0x154/0x1c0\n? handle_bug+0x42/0x70\n? exc_invalid_op+0x1a/0x50\n? asm_exc_invalid_op+0x1a/0x20\n? __fortify_report+0x45/0x50\n__fortify_panic+0x9/0x10\n__get_cur_name_and_parent+0x3bc/0x3c0\nget_cur_path+0x207/0x3b0\nsend_extent_data+0x709/0x10d0\n? find_parent_nodes+0x22df/0x25d0\n? mas_nomem+0x13/0x90\n? mtree_insert_range+0xa5/0x110\n? btrfs_lru_cache_store+0x5f/0x1e0\n? iterate_extent_inodes+0x52d/0x5a0\nprocess_extent+0xa96/0x11a0\n? __pfx_lookup_backref_cache+0x10/0x10\n? __pfx_store_backref_cache+0x10/0x10\n? __pfx_iterate_backrefs+0x10/0x10\n? __pfx_check_extent_item+0x10/0x10\nchanged_cb+0x6fa/0x930\n? tree_advance+0x362/0x390\n? memcmp_extent_buffer+0xd7/0x160\nsend_subvol+0xf0a/0x1520\nbtrfs_ioctl_send+0x106b/0x11d0\n? __pfx___clone_root_cmp_sort+0x10/0x10\n_btrfs_ioctl_send+0x1ac/0x240\nbtrfs_ioctl+0x75b/0x850\n__se_sys_ioctl+0xca/0x150\ndo_syscall_64+0x85/0x160\n? __count_memcg_events+0x69/0x100\n? handle_mm_fault+0x1327/0x15c0\n? __se_sys_rt_sigprocmask+0xf1/0x180\n? syscall_exit_to_user_mode+0x75/0xa0\n? do_syscall_64+0x91/0x160\n? do_user_addr_fault+0x21d/0x630\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fae145eeb4f\nCode: 00 48 89 (...)\nRSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f\nRDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004\nRBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927\nR10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8\nR13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004\n</TASK>\nFix this by not storing the NUL string terminator since we don't actually\nneed it for name cache entries, this way \"name_len\" corresponds to the\nactual size of the \"name\" array. This requires marking the \"name\" array\nfield with __nonstring and using memcpy() instead of strcpy() as\nrecommended by the guidelines at:\nhttps://github.com/KSPP/linux/issues/90"], "name": "CVE-2024-49869", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-49869\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49869\nhttps://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-49869-f804@gregkh/T"], "threat_severity": "Moderate"}