CVE-2024-57929
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-57929
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57929.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-57929
- Downstream
- Related
- Published
- 2025-01-19T12:15:27Z
- Modified
- 2025-09-26T19:09:58Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
dm array: fix releasing a faulty array block twice in dmarraycursor_end
When dmbmreadlock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dmbmreadlock() should not operate on this invalid dmblock pointer, or it will lead to undefined result. For example, the dmarraycursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dmarraycursorend(), then hitting the BUGON in dm-bufio cacheput().
Reproduce steps:
- initialize a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
- wipe the second array block offline
dmsteup remove cache cmeta cdata corig mappingroot=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mappingroot+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock
- try reopen the cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
Kernel logs:
(snip) device-mapper: array: arrayblockcheck failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: getablock failed device-mapper: cache metadata: dmarraycursornext for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638!
Fix by setting the cached block pointer to NULL on errors.
In addition to the reproducer described above, this fix can be verified using the "arraycursor/damaged" test in dm-unit: dm-unit run /pdata/arraycursor/damaged --kernel-dir <KERNEL_DIR>
- References
-
- https://git.kernel.org/stable/c/017c4470bff53585370028fec9341247bad358ff
- https://git.kernel.org/stable/c/6002bec5354f86d1a2df21468f68e3ec03ede9da
- https://git.kernel.org/stable/c/738994872d77e189b2d13c501a1d145e95d98f46
- https://git.kernel.org/stable/c/9c7c03d0e926762adf3a3a0ba86156fb5e19538b
- https://git.kernel.org/stable/c/e477021d252c007f0c6d45b5d13d341efed03979
- https://git.kernel.org/stable/c/f2893c0804d86230ffb8f1c8703fdbb18648abc8
- https://git.kernel.org/stable/c/fc1ef07c3522e257e32702954f265debbcb096a7