In the Linux kernel, the following vulnerability has been resolved:
ext4: aovid use-after-free in ext4_ext_insert_extent()
As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
cause UAF. Below is a sample trace with dummy values:
ext4_ext_insert_extent
path = *ppath = 2000
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(ppath)
path = *ppath = 2000
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*ppath = path = NULL;
path = kcalloc() = 3000
*ppath = 3000;
return path;
/* here path is still 2000, UAF! */
eh = path[depth].p_hdr
==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
Call Trace:
<TASK>
ext4_ext_insert_extent+0x26d4/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
[...]
Allocated by task 179:
ext4_find_extent+0x81c/0x1f70
ext4_ext_map_blocks+0x146/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
Freed by task 179:
kfree+0xcb/0x240
ext4_find_extent+0x7c0/0x1f70
ext4_ext_insert_extent+0xa26/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
==================================================================
So use *ppath to update the path to avoid the above problem.
References
Configurations
Configuration 1 (hide)
|
History
08 Nov 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Oct 2024, 14:43
Type | Values Removed | Values Added |
---|---|---|
References | () https://git.kernel.org/stable/c/51db04892a993cace63415be99848970a0f15ef2 - Patch | |
References | () https://git.kernel.org/stable/c/5e811066c5ab709b070659197dccfb80ab650ddd - Patch | |
References | () https://git.kernel.org/stable/c/8162ee5d94b8c0351be0a9321be134872a7654a1 - Patch | |
References | () https://git.kernel.org/stable/c/9df59009dfc6d9fc1bd9ddf6c5ab6e56d6ed887a - Patch | |
References | () https://git.kernel.org/stable/c/a164f3a432aae62ca23d03e6d926b122ee5b860d - Patch | |
References | () https://git.kernel.org/stable/c/beb7b66fb489041c50c6473100b383f7a51648fc - Patch | |
References | () https://git.kernel.org/stable/c/bfed082ce4b1ce6349b05c09a0fa4f3da35ecb1b - Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
First Time |
Linux linux Kernel
Linux |
|
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
CWE | CWE-416 |
23 Oct 2024, 15:13
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
21 Oct 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-21 18:15
Updated : 2024-11-08 16:15
NVD link : CVE-2024-49883
Mitre link : CVE-2024-49883
CVE.ORG link : CVE-2024-49883
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-416
Use After Free