CVE-2024-49884

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
21/10/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix slab-use-after-free in ext4_split_extent_at()<br /> <br /> We hit the following use-after-free:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0<br /> Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40<br /> CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724<br /> Call Trace:<br /> <br /> kasan_report+0x93/0xc0<br /> ext4_split_extent_at+0xba8/0xcc0<br /> ext4_split_extent.isra.0+0x18f/0x500<br /> ext4_split_convert_extents+0x275/0x750<br /> ext4_ext_handle_unwritten_extents+0x73e/0x1580<br /> ext4_ext_map_blocks+0xe20/0x2dc0<br /> ext4_map_blocks+0x724/0x1700<br /> ext4_do_writepages+0x12d6/0x2a70<br /> [...]<br /> <br /> Allocated by task 40:<br /> __kmalloc_noprof+0x1ac/0x480<br /> ext4_find_extent+0xf3b/0x1e70<br /> ext4_ext_map_blocks+0x188/0x2dc0<br /> ext4_map_blocks+0x724/0x1700<br /> ext4_do_writepages+0x12d6/0x2a70<br /> [...]<br /> <br /> Freed by task 40:<br /> kfree+0xf1/0x2b0<br /> ext4_find_extent+0xa71/0x1e70<br /> ext4_ext_insert_extent+0xa22/0x3260<br /> ext4_split_extent_at+0x3ef/0xcc0<br /> ext4_split_extent.isra.0+0x18f/0x500<br /> ext4_split_convert_extents+0x275/0x750<br /> ext4_ext_handle_unwritten_extents+0x73e/0x1580<br /> ext4_ext_map_blocks+0xe20/0x2dc0<br /> ext4_map_blocks+0x724/0x1700<br /> ext4_do_writepages+0x12d6/0x2a70<br /> [...]<br /> ==================================================================<br /> <br /> The flow of issue triggering is as follows:<br /> <br /> ext4_split_extent_at<br /> path = *ppath<br /> ext4_ext_insert_extent(ppath)<br /> ext4_ext_create_new_leaf(ppath)<br /> ext4_find_extent(orig_path)<br /> path = *orig_path<br /> read_extent_tree_block<br /> // return -ENOMEM or -EIO<br /> ext4_free_ext_path(path)<br /> kfree(path)<br /> *orig_path = NULL<br /> a. If err is -ENOMEM:<br /> ext4_ext_dirty(path + path-&gt;p_depth)<br /> // path use-after-free !!!<br /> b. If err is -EIO and we have EXT_DEBUG defined:<br /> ext4_ext_show_leaf(path)<br /> eh = path[depth].p_hdr<br /> // path also use-after-free !!!<br /> <br /> So when trying to zeroout or fix the extent length, call ext4_find_extent()<br /> to update the path.<br /> <br /> In addition we use *ppath directly as an ext4_ext_show_leaf() input to<br /> avoid possible use-after-free when EXT_DEBUG is defined, and to avoid<br /> unnecessary path updates.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.18 (including) 5.10.227 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.168 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.113 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.55 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (including) 6.11.3 (excluding)