CVE-2024-35956 Affecting kernel-64kb-devel package, versions <6.4.0-150600.23.7.3
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES156-KERNEL64KBDEVEL-7717000
- published 20 Aug 2024
- disclosed 25 Jun 2024
Introduced: 25 Jun 2024
CVE-2024-35956 Open this link in a new tabHow to fix?
Upgrade SLES:15.6
kernel-64kb-devel
to version 6.4.0-150600.23.7.3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-64kb-devel
package and not the kernel-64kb-devel
package as distributed by SLES
.
See How to fix?
for SLES:15.6
relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction.
However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. Ultimately, this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount for the leaked reservation.
The fix is to ensure that every qgroup PREALLOC reservation observes the following properties:
- any failure before record_root_in_trans is called successfully results in freeing the PREALLOC reservation.
- after record_root_in_trans, we convert to PERTRANS, and now the transaction owns freeing the reservation.
This patch enforces those properties on the three operations. Without it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 runs on my system. With this patch, it ran successfully 1000 times in a row.
References
- https://www.suse.com/security/cve/CVE-2024-35956.html
- https://bugzilla.suse.com/1224674
- https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9
- https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c
- https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd