### [CVE-2024-57806](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57806) ![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue) ![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen) ![](https://img.shields.io/static/v1?label=Version&message=182940f4f4dbd932776414744c8de64333957725%20&color=brightgreen) ![](https://img.shields.io/static/v1?label=Version&message=6.7%20&color=brightgreen) ![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue) ### Description In the Linux kernel, the following vulnerability has been resolved:btrfs: fix transaction atomicity bug when enabling simple quotasSet squota incompat bit before committing the transaction that enablesthe feature.With the config CONFIG_BTRFS_ASSERT enabled, an assertionfailure occurs regarding the simple quota feature. [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365 [5.597098] ------------[ cut here ]------------ [5.597371] kernel BUG at fs/btrfs/qgroup.c:365! [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146 [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0 [5.604303] [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.605538] ? exc_invalid_op+0x56/0x70 [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606066] ? asm_exc_invalid_op+0x1f/0x30 [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.607038] ? try_to_wake_up+0x317/0x760 [5.607286] open_ctree+0xd9c/0x1710 [5.607509] btrfs_get_tree+0x58a/0x7e0 [5.608002] vfs_get_tree+0x2e/0x100 [5.608224] fc_mount+0x16/0x60 [5.608420] btrfs_get_tree+0x2f8/0x7e0 [5.608897] vfs_get_tree+0x2e/0x100 [5.609121] path_mount+0x4c8/0xbc0 [5.609538] __x64_sys_mount+0x10d/0x150The issue can be easily reproduced using the following reproducer: root@q:linux# cat repro.sh set -e mkfs.btrfs -q -f /dev/sdb mount /dev/sdb /mnt/btrfs btrfs quota enable -s /mnt/btrfs umount /mnt/btrfs mount /dev/sdb /mnt/btrfsThe issue is that when enabling quotas, at btrfs_quota_enable(), we setBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persistit in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, butwe only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after wecommit the transaction used to enable simple quotas.This means that if after that transaction commit we unmount the filesystemwithout starting and committing any other transaction, or we have a powerfailure, the next time we mount the filesystem we will find the flagBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the keyBTRFS_QGROUP_STATUS_KEY but we will not find the incompat bitBTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering anassertion failure at: btrfs_read_qgroup_config() -> qgroup_read_enable_gen()To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flagimmediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE.This ensures that both flags are flushed to disk within the sametransaction. ### POC #### Reference No PoCs from references. #### Github - https://github.com/oogasawa/Utility-security