CVE-2024-57929— dm array: fix releasing a faulty array block twice in dm_array_cursor_end
Affected Version Matrix 16
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | fdd1315aa5f022fe6574efdc2d9535f75a0ee255< 9c7c03d0e926762adf3a3a0ba86156fb5e19538b | affected |
fdd1315aa5f022fe6574efdc2d9535f75a0ee255< fc1ef07c3522e257e32702954f265debbcb096a7 | affected | ||
fdd1315aa5f022fe6574efdc2d9535f75a0ee255< 738994872d77e189b2d13c501a1d145e95d98f46 | affected | ||
fdd1315aa5f022fe6574efdc2d9535f75a0ee255< e477021d252c007f0c6d45b5d13d341efed03979 | affected | ||
fdd1315aa5f022fe6574efdc2d9535f75a0ee255< 6002bec5354f86d1a2df21468f68e3ec03ede9da | affected | ||
fdd1315aa5f022fe6574efdc2d9535f75a0ee255< 017c4470bff53585370028fec9341247bad358ff | affected | ||
fdd1315aa5f022fe6574efdc2d9535f75a0ee255< f2893c0804d86230ffb8f1c8703fdbb18648abc8 | affected | ||
4.9 | affected | ||
| … +8 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-57929
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
dm array: fix releasing a faulty array block twice in dm_array_cursor_end
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于dm_array_cursor_end函数在处理故障数组块时,可能会错误地释放同一个块两次。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-57929
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-57929
请登录查看更多情报信息。
Patches & Fixes for CVE-2024-57929 (7)
Same Patch Batch · Linux · 2025-01-19 · 47 CVEs total
| CVE-2024-57914 | usb: typec: tcpci: fix NULL pointer issue on shared irq case | |
| CVE-2024-57919 | drm/amd/display: fix divide error in DM plane scale calcs | |
| CVE-2024-57922 | drm/amd/display: Add check for granularity in dml ceil/floor helpers | |
| CVE-2024-57923 | btrfs: zlib: fix avail_in bytes for s390 zlib HW compression path | |
| CVE-2024-57925 | ksmbd: fix a missing return value check bug | |
| CVE-2024-57926 | drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err | |
| CVE-2024-57928 | netfs: Fix enomem handling in buffered reads | |
| CVE-2024-57927 | nfs: Fix oops in nfs_netfs_init_request() when copying to cache | |
| CVE-2024-57924 | fs: relax assertions on failure to encode file handles | |
| CVE-2024-57916 | misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling | |
| CVE-2024-57917 | topology: Keep the cpumask unchanged when printing cpumap | |
| CVE-2024-57913 | usb: gadget: f_fs: Remove WARN_ON in functionfs_bind | |
| CVE-2024-57912 | iio: pressure: zpa2326: fix information leak in triggered buffer | |
| CVE-2024-57911 | iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer | |
| CVE-2024-57910 | iio: light: vcnl4035: fix information leak in triggered buffer | |
| CVE-2024-57908 | iio: imu: kmx61: fix information leak in triggered buffer | |
| CVE-2024-57909 | iio: light: bh1745: fix information leak in triggered buffer | |
| CVE-2024-57907 | iio: adc: rockchip_saradc: fix information leak in triggered buffer | |
| CVE-2024-57905 | iio: adc: ti-ads1119: fix information leak in triggered buffer | |
| CVE-2024-57906 | iio: adc: ti-ads8688: fix information leak in triggered buffer |
Showing top 20 of 47 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans - CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects
Same vendor: Linux
- CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans - CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects
V. Comments for CVE-2024-57929
No comments yet