CVE-2024-49932
📋 TL;DR
A vulnerability in the Linux kernel's Btrfs filesystem can cause a kernel panic when performing readahead operations on relocation inodes with RAID stripe tree configurations. This affects systems using Btrfs with RAID stripe trees during block group relocation operations. The vulnerability leads to denial of service through system crashes.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system crash/kernel panic requiring reboot, potentially causing data corruption or loss during filesystem operations.
Likely Case
System crash during Btrfs balance or relocation operations, causing temporary denial of service until system reboot.
If Mitigated
No impact if not using Btrfs with RAID stripe trees or not performing block group relocation operations.
🎯 Exploit Status
Requires local access and ability to trigger Btrfs relocation operations. Not a remote code execution vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits 04915240e2c3a018e4c7f23418478d27226c8957 and f7a1218a983ab98aba140dc20b25f60b39ee4033
Vendor Advisory: https://git.kernel.org/stable/c/04915240e2c3a018e4c7f23418478d27226c8957
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for kernel updates. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable Btrfs relocation operations
linuxAvoid triggering Btrfs balance or relocation operations that could trigger the vulnerability
Avoid running: btrfs balance start -d -m -s
Avoid running: btrfs filesystem defragment
Use alternative RAID configurations
linuxAvoid using RAID stripe tree (RST) feature with Btrfs
🧯 If You Can't Patch
- Monitor for Btrfs balance/relocation operations and restrict them to maintenance windows
- Implement system monitoring for kernel panics related to Btrfs operations
🔍 How to Verify
Check if Vulnerable:
Check if system uses Btrfs with RAID stripe trees and has performed relocation operations that caused kernel panics with scatter-gather list errorsCheck Version:
uname -rVerify Fix Applied:
Check kernel version includes the fix commits or verify that Btrfs relocation operations complete without kernel panics📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages with 'scatterlist.h:115'
- Btrfs errors about 'cannot find raid-stripe'
- System crash during btrfs balance operations
SIEM Query:
event_type:kernel_panic AND message:"scatterlist.h:115" OR event_type:btrfs_error AND message:"raid-stripe"