CVE-2024-47736
- Source
- https://cve.org/CVERecord?id=CVE-2024-47736
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47736.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-47736
- Downstream
- Related
- Published
- 2024-10-21T12:14:06.530Z
- Modified
- 2026-03-12T11:52:38.300610Z
- Summary
- erofs: handle overlapped pclusters out of crafted images properly
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
erofs: handle overlapped pclusters out of crafted images properly
syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os.
After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below:
Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ...
Here, extent 0/1 are physically overlapped although it's entirely impossible for normal filesystem images generated by mkfs.
First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges zerofsfillbiovec() and BIO submission which causes unexpected BIO waits.
Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness.
Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up
struct z_erofs_bvec") for simplicity although it shouldn't be any difference. - Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47736.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1bf7e414cac303c9aec1be67872e19be8b64980c
- https://git.kernel.org/stable/c/9cfa199bcbbbba31cbf97b2786f44f4464f3f29a
- https://git.kernel.org/stable/c/9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50
- https://git.kernel.org/stable/c/b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47736.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-47736
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8e6c8fa9f2e95c88a642521a5da19a8e31748846Fixed1bf7e414cac303c9aec1be67872e19be8b64980cFixedb9b30af0e86ffb485301ecd83b9129c9dfb7ebf8Fixed9cfa199bcbbbba31cbf97b2786f44f4464f3f29aFixed9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2024-47736-49735641",
"target": {
"file": "fs/erofs/zdata.c",
"function": "pickup_page_for_submission"
},
"digest": {
"length": 1583.0,
"function_hash": "148699806677410103451741670929616376039"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bf7e414cac303c9aec1be67872e19be8b64980c"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2024-47736-6e1e6b54",
"target": {
"file": "fs/erofs/zdata.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"206909247131029278104366617424991192827",
"226635816002565545747016174878402405491",
"96722092138586739726735699490089806863",
"146387176581071460524447371111795227121",
"162850167513741184388908650590556258772",
"181756089577256917396363020502831616120",
"124548527223501106887112831810203979500",
"208478664587068996586002980814323589114",
"83018978049742920578628568085191878205",
"70434222523192614210723641751428864725",
"208749194806004208740045048834451769808",
"89339728146368966417938151543824853832",
"122637253683348411204585586889146905665",
"46936465492969817031679437121921876488",
"158062292939347180726973239762115570412",
"116881499821789683196869049241010271518",
"88767533299452639157994938637924362407",
"300066745529070077280362505168954460391",
"220740064279868224118709711480155397080",
"254327074028402992541828861207847566253",
"180170212313615012297958817660153819673",
"114131802571006606065011832359028346050",
"192598438858333522035388091783933562686",
"316236151262645109597012494799278899109",
"215914157997172992402297950140889638456",
"189076203498129378777551613537669659346",
"48558617194864598643822863361575960312",
"235879421360553692798228701017387741337",
"272074231445428356681780693978813899130",
"78778398263498638506792685033051167538",
"250170883483316620816696261981503491901",
"192644180686061312161617965589203834886",
"91231086599816843297547418272393544323",
"66936400451482815454858293414774306362",
"277763731943280370956112477572355147087",
"308015975487088901528219083923561500811"
]
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bf7e414cac303c9aec1be67872e19be8b64980c"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2024-47736-cb1b34e9",
"target": {
"file": "fs/erofs/zdata.c",
"function": "z_erofs_submit_queue"
},
"digest": {
"length": 2220.0,
"function_hash": "44809453839963341055699748427151620057"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bf7e414cac303c9aec1be67872e19be8b64980c"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47736.json"