CVE-2024-49903

HIGH EPSS 16.7%
Published Oct 21, 20241y ago · Modified Jun 17, 20261w ago
7.0 CVSS 3.1
High
Find Similar
Published Oct 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uaf in dbFreeBits [syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and jfs_ioc_trim) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition.

CVSS Details

Base Score
7.0
Exploitability
1.0
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
16.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel* <5.10.227
linuxlinux_kernel*≥5.11  –  <5.15.168
linuxlinux_kernel*≥5.16  –  <6.1.113
linuxlinux_kernel*≥6.2  –  <6.6.55
linuxlinux_kernel*≥6.7  –  <6.10.14
linuxlinux_kernel*≥6.11  –  <6.11.3

References 13

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-355557.html
  • git.kernel.org https://git.kernel.org/stable/c/0c238da83f56bb895cab1e5851d034ac45b158d1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3126ccde51f51b0648c8cdccaf916e8bd062e972
  • git.kernel.org https://git.kernel.org/stable/c/4218b31ecc7af7e191768d32e32ed4386d8f9b76
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4ac58f7734937f3249da734ede946dfb3b1af5e4
  • git.kernel.org https://git.kernel.org/stable/c/95accb7183badca387f7a8d19a2475cf3089f148
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9603a6f75df2fd8125cd208c98cfaa0fe3f7505
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7ae14f7ee76c6ef5a48aebab1a278ad78f42619
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd026b6b6758d5569705c02540b40f3bbf822b9a
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0c238da83f56bb895cab1e5851d034ac45b158d1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4218b31ecc7af7e191768d32e32ed4386d8f9b76
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/95accb7183badca387f7a8d19a2475cf3089f148
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9603a6f75df2fd8125cd208c98cfaa0fe3f7505
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7ae14f7ee76c6ef5a48aebab1a278ad78f42619
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd026b6b6758d5569705c02540b40f3bbf822b9a
    Patch