{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-35798",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-05-17T12:19:12.341Z",
        "datePublished": "2024-05-17T13:23:08.868Z",
        "dateUpdated": "2024-08-02T03:21:47.569Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:29:09.898Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race in read_extent_buffer_pages()\n\nThere are reports from tree-checker that detects corrupted nodes,\nwithout any obvious pattern so possibly an overwrite in memory.\nAfter some debugging it turns out there's a race when reading an extent\nbuffer the uptodate status can be missed.\n\nTo prevent concurrent reads for the same extent buffer,\nread_extent_buffer_pages() performs these checks:\n\n    /* (1) */\n    if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))\n        return 0;\n\n    /* (2) */\n    if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))\n        goto done;\n\nAt this point, it seems safe to start the actual read operation. Once\nthat completes, end_bbio_meta_read() does\n\n    /* (3) */\n    set_extent_buffer_uptodate(eb);\n\n    /* (4) */\n    clear_bit(EXTENT_BUFFER_READING, &eb->bflags);\n\nNormally, this is enough to ensure only one read happens, and all other\ncallers wait for it to finish before returning.  Unfortunately, there is\na racey interleaving:\n\n    Thread A | Thread B | Thread C\n    ---------+----------+---------\n       (1)   |          |\n             |    (1)   |\n       (2)   |          |\n       (3)   |          |\n       (4)   |          |\n             |    (2)   |\n             |          |    (1)\n\nWhen this happens, thread B kicks of an unnecessary read. Worse, thread\nC will see UPTODATE set and return immediately, while the read from\nthread B is still in progress.  This race could result in tree-checker\nerrors like this as the extent buffer is concurrently modified:\n\n    BTRFS critical (device dm-0): corrupted node, root=256\n    block=8550954455682405139 owner mismatch, have 11858205567642294356\n    expect [256, 18446744073709551360]\n\nFix it by testing UPTODATE again after setting the READING bit, and if\nit's been set, skip the unnecessary read.\n\n[ minor update of changelog ]"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/btrfs/extent_io.c"
                    ],
                    "versions": [
                        {
                            "version": "d7172f52e993",
                            "lessThan": "0427c8ef8bbb",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "d7172f52e993",
                            "lessThan": "3a25878a3378",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "d7172f52e993",
                            "lessThan": "2885d54af2c2",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "d7172f52e993",
                            "lessThan": "ef1e68236b91",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/btrfs/extent_io.c"
                    ],
                    "versions": [
                        {
                            "version": "6.5",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "6.5",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6.24",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.7.12",
                            "lessThanOrEqual": "6.7.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.8.3",
                            "lessThanOrEqual": "6.8.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.9",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052"
                },
                {
                    "url": "https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80"
                },
                {
                    "url": "https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1"
                },
                {
                    "url": "https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215"
                }
            ],
            "title": "btrfs: fix race in read_extent_buffer_pages()",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-06-12T15:26:19.488238Z",
                                "id": "CVE-2024-35798",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-06-12T15:26:30.636Z"
                }
            },
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-02T03:21:47.569Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    }
}