CVE-2024-49884
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-49884
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49884.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-49884
- Related
- Published
- 2024-10-21T18:15:11Z
- Modified
- 2024-11-09T12:50:46.471432Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-use-after-free in ext4splitextent_at()
We hit the following use-after-free:
================================================================== BUG: KASAN: slab-use-after-free in ext4splitextentat+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasanreport+0x93/0xc0 ext4splitextentat+0xba8/0xcc0 ext4splitextent.isra.0+0x18f/0x500 ext4splitconvertextents+0x275/0x750 ext4exthandleunwrittenextents+0x73e/0x1580 ext4extmapblocks+0xe20/0x2dc0 ext4mapblocks+0x724/0x1700 ext4do_writepages+0x12d6/0x2a70 [...]
Allocated by task 40: _kmallocnoprof+0x1ac/0x480 ext4findextent+0xf3b/0x1e70 ext4extmapblocks+0x188/0x2dc0 ext4mapblocks+0x724/0x1700 ext4do_writepages+0x12d6/0x2a70 [...]
Freed by task 40: kfree+0xf1/0x2b0 ext4findextent+0xa71/0x1e70 ext4extinsertextent+0xa22/0x3260 ext4splitextentat+0x3ef/0xcc0 ext4splitextent.isra.0+0x18f/0x500 ext4splitconvertextents+0x275/0x750 ext4exthandleunwrittenextents+0x73e/0x1580 ext4extmapblocks+0xe20/0x2dc0 ext4mapblocks+0x724/0x1700 ext4dowritepages+0x12d6/0x2a70
[...]
The flow of issue triggering is as follows:
ext4splitextentat path = *ppath ext4extinsertextent(ppath) ext4extcreatenewleaf(ppath) ext4findextent(origpath) path = *origpath readextenttreeblock // return -ENOMEM or -EIO ext4freeextpath(path) kfree(path) *origpath = NULL a. If err is -ENOMEM: ext4extdirty(path + path->pdepth) // path use-after-free !!! b. If err is -EIO and we have EXTDEBUG defined: ext4extshowleaf(path) eh = path[depth].p_hdr // path also use-after-free !!!
So when trying to zeroout or fix the extent length, call ext4findextent() to update the path.
In addition we use *ppath directly as an ext4extshowleaf() input to avoid possible use-after-free when EXTDEBUG is defined, and to avoid unnecessary path updates.
- References
-
- https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238
- https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3
- https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18
- https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9
- https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f
- https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe
- https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185
- https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade
- https://security-tracker.debian.org/tracker/CVE-2024-49884
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.115-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.11.4-1