{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-26944",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G        W          6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x5b/0x90\n  print_report+0xcf/0x670\n  ? __virt_addr_valid+0x200/0x3e0\n  kasan_report+0xd8/0x110\n  ? do_zone_finish+0x91a/0xb90 [btrfs]\n  ? do_zone_finish+0x91a/0xb90 [btrfs]\n  do_zone_finish+0x91a/0xb90 [btrfs]\n  btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n  ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n  ? btrfs_put_root+0x2d/0x220 [btrfs]\n  ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n  cleaner_kthread+0x21e/0x380 [btrfs]\n  ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n  kthread+0x2e3/0x3c0\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x31/0x70\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1b/0x30\n  </TASK>\n\n Allocated by task 3493983:\n  kasan_save_stack+0x33/0x60\n  kasan_save_track+0x14/0x30\n  __kasan_kmalloc+0xaa/0xb0\n  btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n  device_list_add.constprop.0+0x993/0x1630 [btrfs]\n  btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n  btrfs_control_ioctl+0x26e/0x310 [btrfs]\n  __x64_sys_ioctl+0x134/0x1b0\n  do_syscall_64+0x99/0x190\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n  kasan_save_stack+0x33/0x60\n  kasan_save_track+0x14/0x30\n  kasan_save_free_info+0x3f/0x60\n  poison_slab_object+0x102/0x170\n  __kasan_slab_free+0x32/0x70\n  kfree+0x11b/0x320\n  btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n  btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n  btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n  btrfs_ioctl+0xb27/0x57d0 [btrfs]\n  __x64_sys_ioctl+0x134/0x1b0\n  do_syscall_64+0x99/0x190\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n  which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n  freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                                        ^\n  ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n  btrfs_scrub_dev\n   btrfs_dev_replace_finishing\n    btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n    btrfs_rm_dev_replace_free_srcdev\n     btrfs_free_device                              <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n  btrfs_zone_finish\n   do_zone_finish              <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---"
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "1da177e4c3f4",
                                            "version_value": "34ca809e055e"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "6.8.3",
                                                        "lessThanOrEqual": "6.8.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.9",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57"
            },
            {
                "url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302"
            }
        ]
    },
    "generator": {
        "engine": "bippy-a5840b7849dd"
    }
}