CVE-2024-47736
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-47736
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47736.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-47736
- Downstream
- Related
- Published
- 2024-10-21T12:14:06Z
- Modified
- 2025-10-22T03:39:09.083153Z
- Summary
- erofs: handle overlapped pclusters out of crafted images properly
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
erofs: handle overlapped pclusters out of crafted images properly
syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os.
After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below:
Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ...
Here, extent 0/1 are physically overlapped although it's entirely impossible for normal filesystem images generated by mkfs.
First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges zerofsfillbiovec() and BIO submission which causes unexpected BIO waits.
Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness.
Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up
struct z_erofs_bvec") for simplicity although it shouldn't be any difference. - References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1bf7e414cac303c9aec1be67872e19be8b64980c
- https://git.kernel.org/stable/c/9cfa199bcbbbba31cbf97b2786f44f4464f3f29a
- https://git.kernel.org/stable/c/9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50
- https://git.kernel.org/stable/c/b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8e6c8fa9f2e95c88a642521a5da19a8e31748846Fixed1bf7e414cac303c9aec1be67872e19be8b64980c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8e6c8fa9f2e95c88a642521a5da19a8e31748846Fixedb9b30af0e86ffb485301ecd83b9129c9dfb7ebf8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8e6c8fa9f2e95c88a642521a5da19a8e31748846Fixed9cfa199bcbbbba31cbf97b2786f44f4464f3f29a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8e6c8fa9f2e95c88a642521a5da19a8e31748846Fixed9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50
Affected versions
v5.*
v5.12
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "29877983055698798205577251531520993908",
"length": 2403.0
},
"id": "CVE-2024-47736-03d250c7",
"target": {
"function": "z_erofs_submit_queue",
"file": "fs/erofs/zdata.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"302471898897965934711275746055357800717",
"72684516893652573072331147459101059581",
"189720238404727451757010781914665013013",
"95764443252241599690604475993743432463",
"64604338933666322055375226620083713332",
"211231387564352489484777683692975677651",
"78551692034975417488085905104977332962",
"336156264441644411974308975798508902274",
"95073786979590998668837861052098450417",
"309775624338105434238311656471893971482",
"70333880335401889743749958957516811466",
"337526749369211802101176196612720654395",
"18440687676575169937616953731617900077",
"11186359371198448966163660814356002577",
"234439078086413143997682317525377562291",
"298238863306050847578406034294597093147",
"184063500549554511732447181811165995552",
"63589226108198027642182188118399938546",
"74176877147334631160526684321275425812",
"120428750938007686291034966630766737036",
"246920886088096470021332920663933540227",
"89992135813014813305757622754196690266",
"312511735003465921687854555916232641244",
"338317350738615301994078848278494907933",
"114904628912700926779032713468585616620",
"308982541165378538681780504085588889500",
"45244689000156189286370137935092813046",
"125609476282926792193855377667412041995",
"41876867109607839313969451598121733173",
"147890373515116680876563854963110788444",
"337120301253651362864323803969152851984",
"113936300148728700588309428132810255291",
"329791826477676308433304900641597698991",
"76945666628637163777741343870554208519",
"55557314997533748833587093315048405071",
"190986061846415837606072842045750650270",
"196332330272754239109074745683478940143",
"35939116874639619238543386175661059371",
"121989458339070935089690442066756114404",
"88835914803348309889796019759827160675",
"153321108666929839776139685174861592068",
"111415801794603501424492681521184233642",
"173000328327456328013706821984174669798",
"75958852780952708669656388222565885670",
"260476725265572946104220152389558828883",
"247975071289809285836813676672204762002",
"73670340687333490597527168862319026651",
"37048714426637547006571239607125670425",
"289131021204126858811254213095507905933",
"127829106219764940289656446654192293042",
"248823934048711807750184983712923631180",
"280342113999918582316187778760035995448",
"17081406646766266207860847668798353263",
"338616447859076546316561312962283127700",
"145887687957168743226546142706936700932",
"166202178551369148535820818613354993828",
"287103650571165965187488093702589796320",
"322835406571537779239708826564322839198",
"2607405567906877075075439728976096220",
"329027165764530149274938498514576347613",
"57066465991894319330962150409794823016",
"339346118894118699372299155007364602235",
"194899238279134889663922572814206056883"
]
},
"id": "CVE-2024-47736-1b7be208",
"target": {
"file": "fs/erofs/zdata.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "303716570758851513853727836527034119898",
"length": 1919.0
},
"id": "CVE-2024-47736-9a7b0664",
"target": {
"function": "z_erofs_fill_bio_vec",
"file": "fs/erofs/zdata.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "303716570758851513853727836527034119898",
"length": 1919.0
},
"id": "CVE-2024-47736-bd59e2f6",
"target": {
"function": "z_erofs_fill_bio_vec",
"file": "fs/erofs/zdata.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50",
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "29877983055698798205577251531520993908",
"length": 2403.0
},
"id": "CVE-2024-47736-c94d4095",
"target": {
"function": "z_erofs_submit_queue",
"file": "fs/erofs/zdata.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8",
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"302471898897965934711275746055357800717",
"72684516893652573072331147459101059581",
"189720238404727451757010781914665013013",
"95764443252241599690604475993743432463",
"64604338933666322055375226620083713332",
"211231387564352489484777683692975677651",
"78551692034975417488085905104977332962",
"336156264441644411974308975798508902274",
"95073786979590998668837861052098450417",
"309775624338105434238311656471893971482",
"70333880335401889743749958957516811466",
"337526749369211802101176196612720654395",
"18440687676575169937616953731617900077",
"11186359371198448966163660814356002577",
"234439078086413143997682317525377562291",
"298238863306050847578406034294597093147",
"184063500549554511732447181811165995552",
"63589226108198027642182188118399938546",
"74176877147334631160526684321275425812",
"120428750938007686291034966630766737036",
"246920886088096470021332920663933540227",
"89992135813014813305757622754196690266",
"312511735003465921687854555916232641244",
"338317350738615301994078848278494907933",
"114904628912700926779032713468585616620",
"308982541165378538681780504085588889500",
"45244689000156189286370137935092813046",
"125609476282926792193855377667412041995",
"41876867109607839313969451598121733173",
"147890373515116680876563854963110788444",
"337120301253651362864323803969152851984",
"113936300148728700588309428132810255291",
"329791826477676308433304900641597698991",
"76945666628637163777741343870554208519",
"55557314997533748833587093315048405071",
"190986061846415837606072842045750650270",
"196332330272754239109074745683478940143",
"35939116874639619238543386175661059371",
"121989458339070935089690442066756114404",
"88835914803348309889796019759827160675",
"153321108666929839776139685174861592068",
"111415801794603501424492681521184233642",
"173000328327456328013706821984174669798",
"75958852780952708669656388222565885670",
"260476725265572946104220152389558828883",
"247975071289809285836813676672204762002",
"73670340687333490597527168862319026651",
"37048714426637547006571239607125670425",
"289131021204126858811254213095507905933",
"127829106219764940289656446654192293042",
"248823934048711807750184983712923631180",
"280342113999918582316187778760035995448",
"17081406646766266207860847668798353263",
"338616447859076546316561312962283127700",
"145887687957168743226546142706936700932",
"166202178551369148535820818613354993828",
"287103650571165965187488093702589796320",
"322835406571537779239708826564322839198",
"2607405567906877075075439728976096220",
"329027165764530149274938498514576347613",
"57066465991894319330962150409794823016",
"339346118894118699372299155007364602235",
"194899238279134889663922572814206056883"
]
},
"id": "CVE-2024-47736-f59577b5",
"target": {
"file": "fs/erofs/zdata.c"
}
}
]