CVE-2024-49882
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-49882
CVE Details
| Release Date: | 2024-10-21 |
Description
In the Linux kernel, the following vulnerability has been resolved:\next4: fix double brelse() the buffer of the extents path\nIn ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been\nreleased, otherwise it may be released twice. An example of what triggers\nthis is as follows:\nsplit2 map split1\n|--------|-------|--------|\next4_ext_map_blocks\next4_ext_handle_unwritten_extents\next4_split_convert_extents\n// path->p_depth == 0\next4_split_extent\n// 1. do split1\next4_split_extent_at\n|ext4_ext_insert_extent\n| ext4_ext_create_new_leaf\n| ext4_ext_grow_indepth\n| le16_add_cpu(&neh->eh_depth, 1)\n| ext4_find_extent\n| // return -ENOMEM\n|// get error and try zeroout\n|path = ext4_find_extent\n| path->p_depth = 1\n|ext4_ext_try_to_merge\n| ext4_ext_try_to_merge_up\n| path->p_depth = 0\n| brelse(path[1].p_bh) ---> not set to NULL here\n|// zeroout success\n// 2. update path\next4_find_extent\n// 3. do split2\next4_split_extent_at\next4_ext_insert_extent\next4_ext_create_new_leaf\next4_ext_grow_indepth\nle16_add_cpu(&neh->eh_depth, 1)\next4_find_extent\npath[0].p_bh = NULL;\npath->p_depth = 1\nread_extent_tree_block ---> return err\n// path[1].p_bh is still the old value\next4_free_ext_path\next4_ext_drop_refs\n// path->p_depth == 1\nbrelse(path[1].p_bh) ---> brelse a buffer twice\nFinally got the following WARRNING when removing the buffer from lru:\n============================================\nVFS: brelse: Trying to free free buffer\nWARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90\nCPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716\nRIP: 0010:__brelse+0x58/0x90\nCall Trace:\n
See more information about CVE-2024-49882 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 6.7 |
| Vector String: | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | Low |
| Privileges Required: | High |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality: | High |
| Integrity: | High |
| Availability: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
