CVE-2024-57929

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm array: fix releasing a faulty array block twice in dm_array_cursor_end<br /> <br /> When dm_bm_read_lock() fails due to locking or checksum errors, it<br /> releases the faulty block implicitly while leaving an invalid output<br /> pointer behind. The caller of dm_bm_read_lock() should not operate on<br /> this invalid dm_block pointer, or it will lead to undefined result.<br /> For example, the dm_array_cursor incorrectly caches the invalid pointer<br /> on reading a faulty array block, causing a double release in<br /> dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().<br /> <br /> Reproduce steps:<br /> <br /> 1. initialize a cache device<br /> <br /> dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"<br /> dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"<br /> dmsetup create corig --table "0 524288 linear /dev/sdc $262144"<br /> dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1<br /> dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \<br /> /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"<br /> <br /> 2. wipe the second array block offline<br /> <br /> dmsteup remove cache cmeta cdata corig<br /> mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \<br /> 2&gt;/dev/null | hexdump -e &amp;#39;1/8 "%u\n"&amp;#39;)<br /> ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \<br /> 2&gt;/dev/null | hexdump -e &amp;#39;1/8 "%u\n"&amp;#39;)<br /> dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock<br /> <br /> 3. try reopen the cache device<br /> <br /> dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"<br /> dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"<br /> dmsetup create corig --table "0 524288 linear /dev/sdc $262144"<br /> dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \<br /> /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"<br /> <br /> Kernel logs:<br /> <br /> (snip)<br /> device-mapper: array: array_block_check failed: blocknr 0 != wanted 10<br /> device-mapper: block manager: array validator check failed for block 10<br /> device-mapper: array: get_ablock failed<br /> device-mapper: cache metadata: dm_array_cursor_next for mapping failed<br /> ------------[ cut here ]------------<br /> kernel BUG at drivers/md/dm-bufio.c:638!<br /> <br /> Fix by setting the cached block pointer to NULL on errors.<br /> <br /> In addition to the reproducer described above, this fix can be<br /> verified using the "array_cursor/damaged" test in dm-unit:<br /> dm-unit run /pdata/array_cursor/damaged --kernel-dir