CVE-2024-49881

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: update orig_path in ext4_find_extent()<br /> <br /> In ext4_find_extent(), if the path is not big enough, we free it and set<br /> *orig_path to NULL. But after reallocating and successfully initializing<br /> the path, we don&amp;#39;t update *orig_path, in which case the caller gets a<br /> valid path but a NULL ppath, and this may cause a NULL pointer dereference<br /> or a path memory leak. For example:<br /> <br /> ext4_split_extent<br /> path = *ppath = 2000<br /> ext4_find_extent<br /> if (depth &gt; path[0].p_maxdepth)<br /> kfree(path = 2000);<br /> *orig_path = path = NULL;<br /> path = kcalloc() = 3000<br /> ext4_split_extent_at(*ppath = NULL)<br /> path = *ppath;<br /> ex = path[depth].p_ext;<br /> // NULL pointer dereference!<br /> <br /> ==================================================================<br /> BUG: kernel NULL pointer dereference, address: 0000000000000010<br /> CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847<br /> RIP: 0010:ext4_split_extent_at+0x6d/0x560<br /> Call Trace:<br /> <br /> ext4_split_extent.isra.0+0xcb/0x1b0<br /> ext4_ext_convert_to_initialized+0x168/0x6c0<br /> ext4_ext_handle_unwritten_extents+0x325/0x4d0<br /> ext4_ext_map_blocks+0x520/0xdb0<br /> ext4_map_blocks+0x2b0/0x690<br /> ext4_iomap_begin+0x20e/0x2c0<br /> [...]<br /> ==================================================================<br /> <br /> Therefore, *orig_path is updated when the extent lookup succeeds, so that<br /> the caller can safely use path or *ppath.