btrfs: fix information leak in btrfs_ioctl_logical_to_ino()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2024-35849
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2024-05-17 15:15:21 UTC
Updated2026-05-12 12:16:37 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000 This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory. Fix this by using kvzalloc() which zeroes out the memory on allocation.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Problem Types: CWE-908

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 689efe22e9b5b7d9d523119a9a5c3c17107a0772 git Not specified
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 73db209dcd4ae026021234d40cfcb2fb5b564b86 git Not specified
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 30189e54ba80e3209d34cfeea87b848f6ae025e6 git Not specified
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 e58047553a4e859dafc8d1d901e1de77c9dd922d git Not specified
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 8bdbcfaf3eac42f98e5486b3d7e130fa287811f6 git Not specified
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc git Not specified
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 fddc19631c51d9c17d43e9f822a7bc403af88d54 git Not specified
CNA Linux Linux affected a542ad1bafc7df9fc16de8a6894b350a4df75572 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf git Not specified
CNA Linux Linux affected 3.2 Not specified
CNA Linux Linux unaffected 3.2 semver Not specified
CNA Linux Linux unaffected 4.19.313 4.19.* semver Not specified
CNA Linux Linux unaffected 5.4.275 5.4.* semver Not specified
CNA Linux Linux unaffected 5.10.216 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.158 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.90 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.30 6.6.* semver Not specified
CNA Linux Linux unaffected 6.8.9 6.8.* semver Not specified
CNA Linux Linux unaffected 6.9 * original_commit_for_fix Not specified
ADP Siemens SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem affected * custom Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
lists.debian.org/debian-lts-announce/2024/06/msg00017.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Mailing List
cert-portal.siemens.com/productcert/html/ssa-265688.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
lists.debian.org/debian-lts-announce/2024/06/msg00020.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Mailing List
git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report