CVE-2024-57929

19 Ene 2025

Título es

CVE-2024-57929

Dom, 19/01/2025 – 12:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-57929

Descripción en

In the Linux kernel, the following vulnerability has been resolved:

dm array: fix releasing a faulty array block twice in dm_array_cursor_end

When dm_bm_read_lock() fails due to locking or checksum errors, it
releases the faulty block implicitly while leaving an invalid output
pointer behind. The caller of dm_bm_read_lock() should not operate on
this invalid dm_block pointer, or it will lead to undefined result.
For example, the dm_array_cursor incorrectly caches the invalid pointer
on reading a faulty array block, causing a double release in
dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().

Reproduce steps:

1. initialize a cache device

dmsetup create cmeta –table "0 8192 linear /dev/sdc 0"
dmsetup create cdata –table "0 65536 linear /dev/sdc 8192"
dmsetup create corig –table "0 524288 linear /dev/sdc $262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1
dmsetup create cache –table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. wipe the second array block offline

dmsteup remove cache cmeta cdata corig
mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \
2>/dev/null | hexdump -e '1/8 "%u\n"')
ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \
2>/dev/null | hexdump -e '1/8 "%u\n"')
dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock

3. try reopen the cache device

dmsetup create cmeta –table "0 8192 linear /dev/sdc 0"
dmsetup create cdata –table "0 65536 linear /dev/sdc 8192"
dmsetup create corig –table "0 524288 linear /dev/sdc $262144"
dmsetup create cache –table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

Kernel logs:

(snip)
device-mapper: array: array_block_check failed: blocknr 0 != wanted 10
device-mapper: block manager: array validator check failed for block 10
device-mapper: array: get_ablock failed
device-mapper: cache metadata: dm_array_cursor_next for mapping failed
————[ cut here ]————
kernel BUG at drivers/md/dm-bufio.c:638!

Fix by setting the cached block pointer to NULL on errors.

In addition to the reproducer described above, this fix can be
verified using the "array_cursor/damaged" test in dm-unit:
dm-unit run /pdata/array_cursor/damaged –kernel-dir

19/01/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://git.kernel.org/stable/c/017c4470bff53585370028fec9341247bad358ff

https://git.kernel.org/stable/c/6002bec5354f86d1a2df21468f68e3ec03ede9da

https://git.kernel.org/stable/c/e477021d252c007f0c6d45b5d13d341efed03979

https://git.kernel.org/stable/c/f2893c0804d86230ffb8f1c8703fdbb18648abc8

Enviar en el boletín

Off