Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2024-49882

Disclosure Date: October 21, 2024
CVE-2024-49882 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix double brelse() the buffer of the extents path

In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
released, otherwise it may be released twice. An example of what triggers
this is as follows:

split2 map split1

ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_split_convert_extents
// path->p_depth == 0
ext4_split_extent

 // 1. do split1
 ext4_split_extent_at
   |ext4_ext_insert_extent
   |  ext4_ext_create_new_leaf
   |    ext4_ext_grow_indepth
   |      le16_add_cpu(&neh->eh_depth, 1)
   |    ext4_find_extent
   |      // return -ENOMEM
   |// get error and try zeroout
   |path = ext4_find_extent
   |  path->p_depth = 1
   |ext4_ext_try_to_merge
   |  ext4_ext_try_to_merge_up
   |    path->p_depth = 0
   |    brelse(path[1].p_bh)  ---> not set to NULL here
   |// zeroout success
 // 2. update path
 ext4_find_extent
 // 3. do split2
 ext4_split_extent_at
   ext4_ext_insert_extent
     ext4_ext_create_new_leaf
       ext4_ext_grow_indepth
         le16_add_cpu(&neh->eh_depth, 1)
       ext4_find_extent
         path[0].p_bh = NULL;
         path->p_depth = 1
         read_extent_tree_block  ---> return err
         // path[1].p_bh is still the old value
         ext4_free_ext_path
           ext4_ext_drop_refs
             // path->p_depth == 1
             brelse(path[1].p_bh)  ---> brelse a buffer twice

Finally got the following WARRNING when removing the buffer from lru:

============================================
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 brelse+0x58/0x90
CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
RIP: 0010:brelse+0x58/0x90
Call Trace:
<TASK>
__find_get_block+0x6e7/0x810
bdev_getblk+0x2b/0x480
__ext4_get_inode_loc+0x48a/0x1240
ext4_get_inode_loc+0xb2/0x150
ext4_reserve_inode_write+0xb7/0x230
__ext4_mark_inode_dirty+0x144/0x6a0
ext4_ext_insert_extent+0x9c8/0x3230
ext4_ext_map_blocks+0xf45/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[…]
============================================

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux d4574bda6390
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • linux

Products

  • linux kernel
Technical Analysis