CVE-2024-49889

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: avoid use-after-free in ext4_ext_show_leaf()<br /> <br /> In ext4_find_extent(), path may be freed by error or be reallocated, so<br /> using a previously saved *ppath may have been freed and thus may trigger<br /> use-after-free, as follows:<br /> <br /> ext4_split_extent<br /> path = *ppath;<br /> ext4_split_extent_at(ppath)<br /> path = ext4_find_extent(ppath)<br /> ext4_split_extent_at(ppath)<br /> // ext4_find_extent fails to free path<br /> // but zeroout succeeds<br /> ext4_ext_show_leaf(inode, path)<br /> eh = path[depth].p_hdr<br /> // path use-after-free !!!<br /> <br /> Similar to ext4_split_extent_at(), we use *ppath directly as an input to<br /> ext4_ext_show_leaf(). Fix a spelling error by the way.<br /> <br /> Same problem in ext4_ext_handle_unwritten_extents(). Since &amp;#39;path&amp;#39; is only<br /> used in ext4_ext_show_leaf(), remove &amp;#39;path&amp;#39; and use *ppath directly.<br /> <br /> This issue is triggered only when EXT_DEBUG is defined and therefore does<br /> not affect functionality.