CVE-2024-44941
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-44941
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-44941.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-44941
- Downstream
- Related
- Published
- 2024-08-26T11:20:45.678Z
- Modified
- 2025-11-20T05:43:22.650546Z
- Summary
- f2fs: fix to cover read extent cache access with lock
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to cover read extent cache access with lock
syzbot reports a f2fs bug as below:
BUG: KASAN: slab-use-after-free in sanitycheckextentcache+0x370/0x410 fs/f2fs/extentcache.c:46 Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097
CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:114 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 sanitycheckextentcache+0x370/0x410 fs/f2fs/extentcache.c:46 doreadinode fs/f2fs/inode.c:509 [inline] f2fsiget+0x33e1/0x46e0 fs/f2fs/inode.c:560 f2fsnfsgetinode+0x74/0x100 fs/f2fs/super.c:3237 genericfhtodentry+0x9f/0xf0 fs/libfs.c:1413 exportfsdecodefhraw+0x152/0x5f0 fs/exportfs/expfs.c:444 exportfsdecodefh+0x3c/0x80 fs/exportfs/expfs.c:584 dohandletopath fs/fhandle.c:155 [inline] handletopath fs/fhandle.c:210 [inline] dohandleopen+0x495/0x650 fs/fhandle.c:226 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf5/0x240 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f
We missed to cover sanitycheckextent_cache() w/ extent cache lock, so, below race case may happen, result in use after free issue.
- f2fsiget
- doreadinode
- f2fsinitreadextenttree
: add largest extent entry in to cache
- shrink
- f2fsshrinkreadextenttree
- shrinkextenttree
- detach
- shrinkextenttree
- f2fsshrinkreadextenttree
- shrink
- f2fsinitreadextenttree
: add largest extent entry in to cache
- sanitycheckextent
- doreadinode
let's refactor sanitycheckextentcache() to avoid extent cache access and call it before f2fsinitreadextent_tree() to fix this issue.
- f2fsiget
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced98e4da8ca301e062d79ae168c67e56f3c3de3ce4Fixed263df78166d3a9609b97d28c34029bd01874cbb8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced98e4da8ca301e062d79ae168c67e56f3c3de3ce4Fixed323ef20b5558b9d9fd10c1224327af6f11a8177d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced98e4da8ca301e062d79ae168c67e56f3c3de3ce4Fixedd7409b05a64f212735f0d33f5f1602051a886eab
Affected versions
v3.*
v3.10
v3.10-rc1
v3.10-rc2
v3.10-rc3
v3.10-rc4
v3.10-rc5
v3.10-rc6
v3.10-rc7
v3.11
v3.11-rc1
v3.11-rc2
v3.11-rc3
v3.11-rc4
v3.11-rc5
v3.11-rc6
v3.11-rc7
v3.12
v3.12-rc1
v3.12-rc2
v3.12-rc3
v3.12-rc4
v3.12-rc5
v3.12-rc6
v3.12-rc7
v3.13
v3.13-rc1
v3.13-rc2
v3.13-rc3
v3.13-rc4
v3.13-rc5
v3.13-rc6
v3.13-rc7
v3.13-rc8
v3.14
v3.14-rc1
v3.14-rc2
v3.14-rc3
v3.14-rc4
v3.14-rc5
v3.14-rc6
v3.14-rc7
v3.14-rc8
v3.15
v3.15-rc1
v3.15-rc2
v3.15-rc3
v3.15-rc4
v3.15-rc5
v3.15-rc6
v3.15-rc7
v3.15-rc8
v3.16
v3.16-rc1
v3.16-rc2
v3.16-rc3
v3.16-rc4
v3.16-rc5
v3.16-rc6
v3.16-rc7
v3.17
v3.17-rc1
v3.17-rc2
v3.17-rc3
v3.17-rc4
v3.17-rc5
v3.17-rc6
v3.17-rc7
v3.18
v3.18-rc1
v3.18-rc2
v3.18-rc3
v3.18-rc4
v3.18-rc5
v3.18-rc6
v3.18-rc7
v3.19
v3.19-rc1
v3.19-rc2
v3.19-rc3
v3.19-rc4
v3.19-rc5
v3.19-rc6
v3.19-rc7
v3.8
v3.8-rc1
v3.8-rc2
v3.8-rc3
v3.8-rc4
v3.8-rc5
v3.8-rc6
v3.8-rc7
v3.9
v3.9-rc1
v3.9-rc2
v3.9-rc3
v3.9-rc4
v3.9-rc5
v3.9-rc6
v3.9-rc7
v3.9-rc8
v4.*
v4.0
v4.0-rc1
v4.0-rc2
v4.0-rc3
v4.0-rc4
v4.0-rc5
v4.0-rc6
v4.0-rc7
v4.1
v4.1-rc1
v4.1-rc2
v4.1-rc3
v4.1-rc4
v4.1-rc5
v4.1-rc6
v4.1-rc7
v4.1-rc8
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.2
v4.2-rc1
v4.2-rc2
v4.2-rc3
v4.2-rc4
v4.2-rc5
v4.2-rc6
v4.2-rc7
v4.2-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.3
v4.3-rc1
v4.3-rc2
v4.3-rc3
v4.3-rc4
v4.3-rc5
v4.3-rc6
v4.3-rc7
v4.4
v4.4-rc1
v4.4-rc2
v4.4-rc3
v4.4-rc4
v4.4-rc5
v4.4-rc6
v4.4-rc7
v4.4-rc8
v4.5
v4.5-rc1
v4.5-rc2
v4.5-rc3
v4.5-rc4
v4.5-rc5
v4.5-rc6
v4.5-rc7
v4.6
v4.6-rc1
v4.6-rc2
v4.6-rc3
v4.6-rc4
v4.6-rc5
v4.6-rc6
v4.6-rc7
v4.7
v4.7-rc1
v4.7-rc2
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"13840438052370249388634555406027405119",
"323434497576405781104987776516924612894",
"157436603829054142938185572032707432837",
"168949780092600390757899363940604455273",
"206264427666532935247047146611486686251",
"168611200370819870029813925127528958200",
"297867715715676204545165403942093414637",
"290187147446559625061961877759101478583",
"328044584798203944003182871398605317387",
"122895415212124731673095203500049412394",
"64700336153773825297343386982425803540",
"145543188613648474064391782287044119172",
"153979248147307338685932322294848558138",
"76793214844065691211225097631833710046",
"186677812392041039819427279313831746793",
"308771786518726345051499344281014690057",
"269902494269590701113054615573224455565",
"205479682773161650619794562627030802128",
"250951406830227723271360059780340039228",
"95599246280086993650909523395897143805",
"99940233356261739655390361747827647855",
"147998934322489168439500360090186280769",
"327917825201936728034831647005504199092",
"272858201813814374192020357938118026827",
"184991891537688794796899233399281452369",
"307546410774724765270850726897137378959",
"283768908564632083208954045686480154706",
"35224495844211355534626797682954360059",
"91100397184540481943444052453150018535",
"93684783342787473095156018588324140620",
"240952902610050343041353135850870365160",
"188166759960698108797717940412912856016",
"325934838221179369881262537449778371667",
"219492253017334697954478076565910112931",
"240273131198176679413459927344036042675",
"192003609942984659761310894278419859335",
"76571851507162500169563569304643853057",
"183278031127239426391199883662641227608",
"3590043689387678907257264834221096414",
"157976856137603038879727474148724361228",
"214050516476308522687061355305669420819",
"32188795609505756270102067319756044791",
"235994348142923733081428122017213383448",
"106325629894252140402099406273976262519",
"236031277370883220902630030676848392528",
"34557805917046784813233552764524082482",
"274960437875774792710024407285849293666",
"172081028792159513363187705080103066780",
"263000798489001562687758390788105948813",
"277179721703295988722956010284068613599"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@323ef20b5558b9d9fd10c1224327af6f11a8177d",
"target": {
"file": "fs/f2fs/extent_cache.c"
},
"id": "CVE-2024-44941-0eb3c9ba"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"286932080587250121421051993825100776908",
"147460902100254316214373114690103227582",
"24033423825950227747398802848816080832",
"106934143445031069507097423257133826338"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@323ef20b5558b9d9fd10c1224327af6f11a8177d",
"target": {
"file": "fs/f2fs/f2fs.h"
},
"id": "CVE-2024-44941-18cede7f"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 3911.0,
"function_hash": "318190798338910271158987454965549100670"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@323ef20b5558b9d9fd10c1224327af6f11a8177d",
"target": {
"file": "fs/f2fs/inode.c",
"function": "do_read_inode"
},
"id": "CVE-2024-44941-1d956926"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 696.0,
"function_hash": "21543653806259457578768554851566516393"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@323ef20b5558b9d9fd10c1224327af6f11a8177d",
"target": {
"file": "fs/f2fs/extent_cache.c",
"function": "sanity_check_extent_cache"
},
"id": "CVE-2024-44941-42cf1438"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 993.0,
"function_hash": "85205803724908416378951480242536053420"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@323ef20b5558b9d9fd10c1224327af6f11a8177d",
"target": {
"file": "fs/f2fs/extent_cache.c",
"function": "f2fs_init_read_extent_tree"
},
"id": "CVE-2024-44941-6d30275b"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"34673000177214969033500591089278785973",
"135669116606246730627827384667745365805",
"296974186968057959505326989525960971261",
"209173888922467088949117329876642183120",
"81574130754006419435565800095992575352",
"128883710629991717639887202390039585598",
"85437250106868047744038489441658161482",
"302157296722671075034554013328210172458",
"113001249516681139104020334135677855220",
"282131887407531613866840870819351432968"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@323ef20b5558b9d9fd10c1224327af6f11a8177d",
"target": {
"file": "fs/f2fs/inode.c"
},
"id": "CVE-2024-44941-e8b3a7ca"
}
]