CVE-2024-40952

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40952
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40952.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-40952
Downstream
Published
2024-07-12T12:31:56Z
Modified
2025-10-14T18:42:04.331111Z
Summary
ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix NULL pointer dereference in ocfs2journaldirty()

bdev->bdsuper has been removed and commit 8887b94d9322 change the usage from bdev->bdsuper to bassocmap->host->isb. This introduces the following NULL pointer dereference in ocfs2journaldirty() since bassoc_map is still not initialized. This can be easily reproduced by running xfstests generic/186, which simulate no more credits.

[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 134.355341] RIP: 0010:ocfs2journaldirty+0x14f/0x160 [ocfs2] ... [ 134.365071] Call Trace: [ 134.365312] <TASK> [ 134.365524] ? _diebody+0x1e/0x60 [ 134.365868] ? pagefaultoops+0x13d/0x4f0 [ 134.366265] ? _pfxbitwaitio+0x10/0x10 [ 134.366659] ? schedule+0x27/0xb0 [ 134.366981] ? excpagefault+0x6a/0x140 [ 134.367356] ? asmexcpagefault+0x26/0x30 [ 134.367762] ? ocfs2journaldirty+0x14f/0x160 [ocfs2] [ 134.368305] ? ocfs2journaldirty+0x13d/0x160 [ocfs2] [ 134.368837] ocfs2createnewmetabhs.isra.51+0x139/0x2e0 [ocfs2] [ 134.369454] ocfs2growtree+0x688/0x8a0 [ocfs2] [ 134.369927] ocfs2splitandinsert.isra.67+0x35c/0x4a0 [ocfs2] [ 134.370521] ocfs2splitextent+0x314/0x4d0 [ocfs2] [ 134.371019] ocfs2changeextentflag+0x174/0x410 [ocfs2] [ 134.371566] ocfs2addrefcountflag+0x3fa/0x630 [ocfs2] [ 134.372117] ocfs2reflinkremapextent+0x21b/0x4c0 [ocfs2] [ 134.372994] ? inodeupdatetimestamps+0x4a/0x120 [ 134.373692] ? _pfxocfs2journalaccessdi+0x10/0x10 [ocfs2] [ 134.374545] ? _pfxocfs2journalaccessdi+0x10/0x10 [ocfs2] [ 134.375393] ocfs2reflinkremapblocks+0xe4/0x4e0 [ocfs2] [ 134.376197] ocfs2remapfilerange+0x1de/0x390 [ocfs2] [ 134.376971] ? securityfilepermission+0x29/0x50 [ 134.377644] vfsclonefilerange+0xfe/0x320 [ 134.378268] ioctlfileclone+0x45/0xa0 [ 134.378853] dovfsioctl+0x457/0x990 [ 134.379422] _x64sysioctl+0x6e/0xd0 [ 134.379987] dosyscall64+0x5d/0x170 [ 134.380550] entrySYSCALL64afterhwframe+0x76/0x7e [ 134.381231] RIP: 0033:0x7fa4926397cb [ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48 [ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIGRAX: 0000000000000010 [ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb [ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003 [ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000 [ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000 [ 134.389207] </TASK>

Fix it by only aborting transaction and journal in ocfs2journaldirty() now, and leave ocfs2_abort() later when detecting an aborted handle, e.g. start next transaction. Also log the handle details in this case.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8887b94d93224e0ef7e1bc6369640e313b8b12f4
Fixed
0550ad87711f815b3d73e487ec58ca7d8f56edbc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8887b94d93224e0ef7e1bc6369640e313b8b12f4
Fixed
72663d3e09091f431a0774227ca207c0358362dd
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8887b94d93224e0ef7e1bc6369640e313b8b12f4
Fixed
58f7e1e2c9e72c7974054c64c3abeac81c11f822

Affected versions

v6.*

v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.5
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2024-40952-097f5d7b",
            "signature_type": "Function",
            "target": {
                "file": "fs/ocfs2/journal.c",
                "function": "ocfs2_journal_dirty"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0550ad87711f815b3d73e487ec58ca7d8f56edbc",
            "digest": {
                "function_hash": "178922478459972958413392601296302961844",
                "length": 530.0
            },
            "deprecated": false,
            "signature_version": "v1"
        },
        {
            "id": "CVE-2024-40952-31040e78",
            "signature_type": "Line",
            "target": {
                "file": "fs/ocfs2/journal.c"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72663d3e09091f431a0774227ca207c0358362dd",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "65329096842401238778787989967153366954",
                    "225517645441502459334437388708087723263",
                    "74265486982878020892614678318302264162",
                    "118722444841113098525142068966527905044",
                    "188717553655884672215474358521047776040",
                    "229636591743800339310690356698682684119",
                    "243242683459745372302037522577314677050",
                    "39746730690521621435176939315848027350",
                    "86020330304503439272024057864106308317",
                    "271284774377749048209923400172064209352"
                ]
            },
            "deprecated": false,
            "signature_version": "v1"
        },
        {
            "id": "CVE-2024-40952-35f466aa",
            "signature_type": "Line",
            "target": {
                "file": "fs/ocfs2/journal.c"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58f7e1e2c9e72c7974054c64c3abeac81c11f822",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "65329096842401238778787989967153366954",
                    "225517645441502459334437388708087723263",
                    "74265486982878020892614678318302264162",
                    "118722444841113098525142068966527905044",
                    "188717553655884672215474358521047776040",
                    "229636591743800339310690356698682684119",
                    "243242683459745372302037522577314677050",
                    "39746730690521621435176939315848027350",
                    "86020330304503439272024057864106308317",
                    "271284774377749048209923400172064209352"
                ]
            },
            "deprecated": false,
            "signature_version": "v1"
        },
        {
            "id": "CVE-2024-40952-94ad6f3b",
            "signature_type": "Function",
            "target": {
                "file": "fs/ocfs2/journal.c",
                "function": "ocfs2_journal_dirty"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58f7e1e2c9e72c7974054c64c3abeac81c11f822",
            "digest": {
                "function_hash": "178922478459972958413392601296302961844",
                "length": 530.0
            },
            "deprecated": false,
            "signature_version": "v1"
        },
        {
            "id": "CVE-2024-40952-ab79bda2",
            "signature_type": "Line",
            "target": {
                "file": "fs/ocfs2/journal.c"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0550ad87711f815b3d73e487ec58ca7d8f56edbc",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "65329096842401238778787989967153366954",
                    "225517645441502459334437388708087723263",
                    "74265486982878020892614678318302264162",
                    "118722444841113098525142068966527905044",
                    "188717553655884672215474358521047776040",
                    "229636591743800339310690356698682684119",
                    "243242683459745372302037522577314677050",
                    "39746730690521621435176939315848027350",
                    "86020330304503439272024057864106308317",
                    "271284774377749048209923400172064209352"
                ]
            },
            "deprecated": false,
            "signature_version": "v1"
        },
        {
            "id": "CVE-2024-40952-ac4eb209",
            "signature_type": "Function",
            "target": {
                "file": "fs/ocfs2/journal.c",
                "function": "ocfs2_journal_dirty"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72663d3e09091f431a0774227ca207c0358362dd",
            "digest": {
                "function_hash": "178922478459972958413392601296302961844",
                "length": 530.0
            },
            "deprecated": false,
            "signature_version": "v1"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.36
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.9.7