Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-49884— ext4: fix slab-use-after-free in ext4_split_extent_at()

EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-49884

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ext4: fix slab-use-after-free in ext4_split_extent_at()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ext4文件系统在ext4_split_extent_at函数中对已释放内存的不当访问,导致释放后重用问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux dfe5080939ea4686b3414b5d970a9b26733c57a4 ~ 393a46f60ea4f249dc9d496d4eb2d542f5e11ade -
LinuxLinux 3.18 -

II. Public POCs for CVE-2024-49884

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-49884

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-10-21 · 372 CVEs total

CVE-2024-50019kthread: unpark only parked kthread
CVE-2024-50030drm/xe/ct: prevent UAF in send_recv()
CVE-2024-50028thermal: core: Reference count the zone in thermal_zone_get_by_id()
CVE-2024-50029Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync
CVE-2024-50027thermal: core: Free tzp copy along with the thermal zone
CVE-2024-50025scsi: fnic: Move flush_work initialization out of if block
CVE-2024-50026scsi: wd33c93: Don't use stale scsi_pointer value
CVE-2024-50023net: phy: Remove LED entry from LEDs list on unregister
CVE-2024-50024net: Fix an unsafe loop on the list
CVE-2024-50022device-dax: correct pgoff align in dax_set_mapping()
CVE-2024-50021ice: Fix improper handling of refcount in ice_dpll_init_rclk_pins()
CVE-2024-50020ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()
CVE-2024-50011ASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item
CVE-2024-50006ext4: fix i_data_sem unlock order in ext4_ind_migrate()
CVE-2024-50007ALSA: asihpi: Fix potential OOB array access
CVE-2024-50008wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
CVE-2024-50009cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value
CVE-2024-50010exec: don't WARN for racy path_noexec check
CVE-2024-50014ext4: fix access to uninitialised lock in fc replay path
CVE-2024-50017x86/mm/ident_map: Use gbpages only where full GB page should be mapped.

Showing top 20 of 372 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2024-49884

No comments yet

Leave a comment