CVE-2024-44963

{"id": "CVE-2024-44963", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-09-04T19:15:30.883", "references": [{"url": "https://git.kernel.org/stable/c/98251cd60b4d702a8a81de442ab621e83a3fb24f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb3868033a4cccff7be57e9145f2117cbdc91c11", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not BUG_ON() when freeing tree block after error\n\nWhen freeing a tree block, at btrfs_free_tree_block(), if we fail to\ncreate a delayed reference we don't deal with the error and just do a\nBUG_ON(). The error most likely to happen is -ENOMEM, and we have a\ncomment mentioning that only -ENOMEM can happen, but that is not true,\nbecause in case qgroups are enabled any error returned from\nbtrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned\nfrom btrfs_search_slot() for example) can be propagated back to\nbtrfs_free_tree_block().\n\nSo stop doing a BUG_ON() and return the error to the callers and make\nthem abort the transaction to prevent leaking space. Syzbot was\ntriggering this, likely due to memory allocation failure injection."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: no hacer BUG_ON() al liberar un bloque de \u00e1rbol despu\u00e9s de un error Al liberar un bloque de \u00e1rbol, en btrfs_free_tree_block(), si no podemos crear una referencia retrasada, no nos ocupamos del error y simplemente hacemos un BUG_ON(). El error m\u00e1s probable que ocurra es -ENOMEM, y tenemos un comentario que menciona que solo puede ocurrir -ENOMEM, pero eso no es cierto, porque en caso de que los qgroups est\u00e9n habilitados, cualquier error devuelto por btrfs_qgroup_trace_extent_post() (puede ser -EUCLEAN o cualquier cosa devuelta por btrfs_search_slot(), por ejemplo) se puede propagar de vuelta a btrfs_free_tree_block(). As\u00ed que deja de hacer un BUG_ON() y devuelve el error a los llamadores y haz que aborten la transacci\u00f3n para evitar fugas de espacio. Syzbot estaba activando esto, probablemente debido a la inyecci\u00f3n de fallo de asignaci\u00f3n de memoria."}], "lastModified": "2024-10-04T16:19:20.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4CB0927-C720-465B-99F2-3E47215515F2", "versionEndExcluding": "6.10.5"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}