CVE-2024-50015

CVE Details

Release Date:

2024-10-21

Description

In the Linux kernel, the following vulnerability has been resolved:\next4: dax: fix overflowing extents beyond inode size when partially writing\nThe dax_iomap_rw() does two things in each iteration: map written blocks\nand copy user data to blocks. If the process is killed by user(See signal\nhandling in dax_iomap_iter()), the copied data will be returned and added\non inode size, which means that the length of written extents may exceed\nthe inode size, then fsck will fail. An example is given as:\ndd if=/dev/urandom of=file bs=4M count=1\ndax_iomap_rw\niomap_iter // round 1\next4_iomap_begin\next4_iomap_alloc // allocate 0~2M extents(written flag)\ndax_iomap_iter // copy 2M data\niomap_iter // round 2\niomap_iter_advance\niter->pos += iter->processed // iter->pos = 2M\next4_iomap_begin\next4_iomap_alloc // allocate 2~4M extents(written flag)\ndax_iomap_iter\nfatal_signal_pending\ndone = iter->pos - iocb->ki_pos // done = 2M\next4_handle_inode_extension\next4_update_inode_size // inode size = 2M\nfsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix?\nFix the problem by truncating extents if the written length is smaller\nthan expected.

See more information about CVE-2024-50015 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	4.4
Vector String:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	High
User Interaction:	None
Scope:	Unchanged
Confidentiality:	None
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12887	2024-12-18
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12887	2024-12-18