admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
cvelist/2024/50xxx/CVE-2024-50278.json
CVE Team 55071827dd
"-Synchronized-Data."
2024-11-19 02:01:14 +00:00

168 lines
10 KiB
JSON
Raw Blame History

{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2024-50278",
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix potential out-of-bounds access on the first resume\n\nOut-of-bounds access occurs if the fast device is expanded unexpectedly\nbefore the first-time resume of the cache table. This happens because\nexpanding the fast device requires reloading the cache table for\ncache_create to allocate new in-core data structures that fit the new\nsize, and the check in cache_preresume is not performed during the\nfirst resume, leading to the issue.\n\nReproduce steps:\n\n1. prepare component devices:\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\n\n2. load a cache table of 512 cache blocks, and deliberately expand the\n fast device before resuming the cache, making the in-core data\n structures inadequate.\n\ndmsetup create cache --notable\ndmsetup reload cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup reload cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup resume cdata\ndmsetup resume cache\n\n3. suspend the cache to write out the in-core dirty bitset and hint\n array, leading to out-of-bounds access to the dirty bitset at offset\n 0x40:\n\ndmsetup suspend cache\n\nKASAN reports:\n\n BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80\n Read of size 8 at addr ffffc90000085040 by task dmsetup/90\n\n (...snip...)\n The buggy address belongs to the virtual mapping at\n [ffffc90000085000, ffffc90000087000) created by:\n cache_ctr+0x176a/0x35f0\n\n (...snip...)\n Memory state around the buggy address:\n ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFix by checking the size change on the first resume."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "f494a9c6b1b6",
"version_value": "e492f71854ce"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "3.13",
"status": "affected"
},
{
"version": "0",
"lessThan": "3.13",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.324",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.286",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.230",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.172",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.117",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.61",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.8",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d"
},
{
"url": "https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492"
},
{
"url": "https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be"
},
{
"url": "https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688"
},
{
"url": "https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb"
},
{
"url": "https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86"
},
{
"url": "https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4"
},
{
"url": "https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d"
}
]
},
"generator": {
"engine": "bippy-8e903de6a542"
}
}
Reference in New Issue View Git Blame Copy Permalink