CVE-2024-50278

HIGH EPSS 17.5%
Published Nov 19, 20241y ago · Modified Jun 17, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Nov 19, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: dm cache: fix potential out-of-bounds access on the first resume Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache table. This happens because expanding the fast device requires reloading the cache table for cache_create to allocate new in-core data structures that fit the new size, and the check in cache_preresume is not performed during the first resume, leading to the issue. Reproduce steps: 1. prepare component devices: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct 2. load a cache table of 512 cache blocks, and deliberately expand the fast device before resuming the cache, making the in-core data structures inadequate. dmsetup create cache --notable dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192" dmsetup resume cdata dmsetup resume cache 3. suspend the cache to write out the in-core dirty bitset and hint array, leading to out-of-bounds access to the dirty bitset at offset 0x40: dmsetup suspend cache KASAN reports: BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80 Read of size 8 at addr ffffc90000085040 by task dmsetup/90 (...snip...) The buggy address belongs to the virtual mapping at [ffffc90000085000, ffffc90000087000) created by: cache_ctr+0x176a/0x35f0 (...snip...) Memory state around the buggy address: ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Fix by checking the size change on the first resume.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
17.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥3.13  –  <4.19.324
linuxlinux_kernel*≥4.20  –  <5.4.286
linuxlinux_kernel*≥5.5  –  <5.10.230
linuxlinux_kernel*≥5.11  –  <5.15.172
linuxlinux_kernel*≥5.16  –  <6.1.117
linuxlinux_kernel*≥6.2  –  <6.6.61
linuxlinux_kernel*≥6.7  –  <6.11.8
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any
linuxlinux_kernel6.12any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688
    Patch