cve/2024/CVE-2024-50217.md

### [CVE-2024-50217](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50217)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=142388194191%3C%2047a83f8df395%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()Mounting btrfs from two images (which have the same one fsid and twodifferent dev_uuids) in certain executing order may trigger an UAF forvariable 'device->bdev_file' in __btrfs_free_extra_devids(). Andfollowing are the details:1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs   devices by ioctl(BTRFS_IOC_SCAN_DEV):             /  btrfs_device_1 → loop0   fs_device             \  btrfs_device_2 → loop12. mount /dev/loop0 /mnt   btrfs_open_devices    btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0)    btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)   btrfs_fill_super    open_ctree     fail: btrfs_close_devices // -ENOMEM	    btrfs_close_bdev(btrfs_device_1)             fput(btrfs_device_1->bdev_file)	      // btrfs_device_1->bdev_file is freed	    btrfs_close_bdev(btrfs_device_2)             fput(btrfs_device_2->bdev_file)3. mount /dev/loop1 /mnt   btrfs_open_devices    btrfs_get_bdev_and_sb(&bdev_file)     // EIO, btrfs_device_1->bdev_file is not assigned,     // which points to a freed memory area    btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)   btrfs_fill_super    open_ctree     btrfs_free_extra_devids      if (btrfs_device_1->bdev_file)       fput(btrfs_device_1->bdev_file) // UAF !Fix it by setting 'device->bdev_file' as 'NULL' after closing thebtrfs_device in btrfs_close_one_device().

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/bygregonline/devsec-fastapi-report