CVE-2024-50265

MEDIUM EPSS 22.6%
Published Nov 19, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Nov 19, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): [ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 [ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry [ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 [...] [ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [...] [ 57.331328] Call Trace: [ 57.331477] <TASK> [...] [ 57.333511] ? do_user_addr_fault+0x3e5/0x740 [ 57.333778] ? exc_page_fault+0x70/0x170 [ 57.334016] ? asm_exc_page_fault+0x2b/0x30 [ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10 [ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0 [ 57.335164] ocfs2_xa_set+0x704/0xcf0 [ 57.335381] ? _raw_spin_unlock+0x1a/0x40 [ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20 [ 57.335915] ? trace_preempt_on+0x1e/0x70 [ 57.336153] ? start_this_handle+0x16c/0x500 [ 57.336410] ? preempt_count_sub+0x50/0x80 [ 57.336656] ? _raw_read_unlock+0x20/0x40 [ 57.336906] ? start_this_handle+0x16c/0x500 [ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0 [ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0 [ 57.337706] ? ocfs2_start_trans+0x13d/0x290 [ 57.337971] ocfs2_xattr_set+0xb13/0xfb0 [ 57.338207] ? dput+0x46/0x1c0 [ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338948] __vfs_removexattr+0x92/0xc0 [ 57.339182] __vfs_removexattr_locked+0xd5/0x190 [ 57.339456] ? preempt_count_sub+0x50/0x80 [ 57.339705] vfs_removexattr+0x5f/0x100 [...] Reproducer uses faultinject facility to fail ocfs2_xa_remove() -> ocfs2_xa_value_truncate() with -ENOMEM. In this case the comment mentions that we can return 0 if ocfs2_xa_cleanup_value_truncate() is going to wipe the entry anyway. But the following 'rc' check is wrong and execution flow do 'ocfs2_xa_remove_entry(loc);' twice: * 1st: in ocfs2_xa_cleanup_value_truncate(); * 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'. Fix this by skipping the 2nd removal of the same entry and making syzkaller repro happy.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
22.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥2.6.34  –  <4.19.324
linuxlinux_kernel*≥4.20  –  <5.4.286
linuxlinux_kernel*≥5.5  –  <5.10.230
linuxlinux_kernel*≥5.11  –  <5.15.172
linuxlinux_kernel*≥5.16  –  <6.1.117
linuxlinux_kernel*≥6.2  –  <6.6.61
linuxlinux_kernel*≥6.7  –  <6.11.8
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/0b63c0e01fba40e3992bc627272ec7b618ccaef7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/168a9b8303fcb0317db4c06b23ce1c0ce2af4e10
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b5369528ee63c88371816178a05b5e664c87386
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/38cbf13b2e7a31362babe411f7c2c3c52cd2734b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6a7e6dcf90fe7721d0863067b6ca9a9442134692
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/86dd0e8d42828923c68ad506933336bcd6f2317d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dcc8fe8c83145041cb6c80cac21f6173a3ff0204
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd73c942eed76a014c7a5597e6926435274d2c4c
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0b63c0e01fba40e3992bc627272ec7b618ccaef7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/168a9b8303fcb0317db4c06b23ce1c0ce2af4e10
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b5369528ee63c88371816178a05b5e664c87386
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/38cbf13b2e7a31362babe411f7c2c3c52cd2734b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6a7e6dcf90fe7721d0863067b6ca9a9442134692
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/86dd0e8d42828923c68ad506933336bcd6f2317d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dcc8fe8c83145041cb6c80cac21f6173a3ff0204
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd73c942eed76a014c7a5597e6926435274d2c4c
    Patch