CVE-2024-56759 - Use-After-Free Vulnerability in Linux Kernel’s Btrfs COW Block Handling

In June 2024, the Linux kernel team resolved a serious use-after-free bug in the Btrfs filesystem’s Copy-on-Write (COW) block handling code. This flaw, tracked as CVE-2024-56759, can lead to kernel crashes and even potential privilege escalation, affecting any system using Btrfs with tracing enabled and preemptible kernel configuration.

Let’s break down what this bug is, how it happens, how it was fixed, and how attackers might exploit it.

What is CVE-2024-56759?

When using Btrfs (a modern Linux filesystem packed with advanced features like snapshots and subvolumes), the kernel manages data using complex tree structures and often has to make “COW” (Copy-On-Write) copies of data blocks.

The Problem

In the core function btrfs_cow_block(), there’s a tracepoint called trace_btrfs_cow_block(). This is a debugging feature: if tracing is enabled, this tracepoint logs specific kernel events. However, if your kernel has preemption enabled (CONFIG_PREEMPT=y), there’s a timing issue: the data structure called “extent buffer” might get freed (scheduled for deletion) right before the tracepoint code runs.

The result: if the kernel is preempted just at the wrong point, trace_btrfs_cow_block() can access memory that was just freed—classic use-after-free. This can lead to crashes (kernel panics), data corruption, or potentially let an attacker elevate their privileges.

Visual Overview

btrfs_cow_block()
   |
   |-- calls btrfs_force_cow_block()
         |
         |-- (maybe) drops last reference to @buf
         |-- schedules @buf for deletion via RCU
   |
   |-- trace_btrfs_cow_block()      <-- runs after buffer can be freed!

Exploitation Details

An attacker who can trigger Btrfs operations with tracing enabled and preemption on the kernel can potentially make the kernel dereference a pointer to memory already gone.

Kernel is built with CONFIG_PREEMPT=y

- The attacker can initiate or trigger I/O in such a way as to force a copy-on-write operation (easy for local users with filesystem access)

Simplified Exploit Scenario

Suppose an attacker (or more likely, a buggy kernel module or debugging tool) enables tracing and triggers massive file activity in a Btrfs filesystem. They can then force the kernel into racing conditions where it references freed memory, causing:

(Theoretical) arbitrary code execution in kernel space

No known proofs-of-concept have been published, but reviewing the vulnerable code path makes the risk clear.

OLD CODE (dangerous)

int btrfs_cow_block(...) {
    ...
    ret = btrfs_force_cow_block(...);
    /* Vulnerability: tracepoint runs AFTER freeing @buf */
    trace_btrfs_cow_block(buf, ...); 
}

NEW CODE (fixed)

int btrfs_force_cow_block(...) {
    /* New: tracepoint runs BEFORE freeing @buf */
    trace_btrfs_cow_block(buf, ...);
    /* then, maybe free @buf */
    free_extent_buffer_stale(buf);
}

By moving the tracepoint to just before the buffer might be freed, the kernel guarantees the buffer is still safely valid.

Before: vulnerable use-after-free

// trace_btrfs_cow_block could be called on a freed buffer!
btrfs_cow_block(...) {
    ...
    btrfs_force_cow_block(&buf);
    trace_btrfs_cow_block(buf, ...); // <-- UAF risk!
}

After: tracepoint moved above the free

btrfs_force_cow_block(...) {
    trace_btrfs_cow_block(buf, ...); // <-- safe
    free_extent_buffer_stale(buf);   // buffer is freed only after tracing
}

Check if you run Btrfs: mount | grep btrfs

- Check if tracing is enabled: Look for tracefs, ftrace, or profiling tools like perf, systemtap, or bcc

Check kernel config: Look for CONFIG_PREEMPT=y (most desktop distributions use this)

Mitigation: Upgrade to a kernel that includes the fix. If that's not possible, disable Btrfs kernel tracing or switch to a kernel with preemption disabled (though that’s not always practical).

References

- Original Linux Kernel Patch Commit
- Btrfs Community Project
- Linux Kernel Mailing List Discussion
- CVE-2024-56759 at MITRE *(Pending public entry)*

Summary

CVE-2024-56759 is a subtle but serious use-after-free bug in Btrfs’s tree block COW code, only dangerous when tracing is on and preemption is enabled. While the scenario is rare, the consequences can be catastrophic. Upgrade your kernel if you rely on Btrfs and do any kind of kernel tracing or low-level debugging!

*Stay safe—keep your systems and kernels updated!*

Timeline

Published on: 01/06/2025 17:15:40 UTC
Last modified on: 01/20/2025 06:27:32 UTC