CVE-2024-57929

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-57929
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57929.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-57929
Downstream
Related
Published
2025-01-19T11:52:46.096Z
Modified
2025-11-27T02:33:44.559626Z
Summary
dm array: fix releasing a faulty array block twice in dm_array_cursor_end
Details

In the Linux kernel, the following vulnerability has been resolved:

dm array: fix releasing a faulty array block twice in dmarraycursor_end

When dmbmreadlock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dmbmreadlock() should not operate on this invalid dmblock pointer, or it will lead to undefined result. For example, the dmarraycursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dmarraycursorend(), then hitting the BUGON in dm-bufio cacheput().

Reproduce steps:

  1. initialize a cache device

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

  1. wipe the second array block offline

dmsteup remove cache cmeta cdata corig mappingroot=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mappingroot+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock

  1. try reopen the cache device

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

Kernel logs:

(snip) device-mapper: array: arrayblockcheck failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: getablock failed device-mapper: cache metadata: dmarraycursornext for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638!

Fix by setting the cached block pointer to NULL on errors.

In addition to the reproducer described above, this fix can be verified using the "arraycursor/damaged" test in dm-unit: dm-unit run /pdata/arraycursor/damaged --kernel-dir <KERNEL_DIR>

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2024/57xxx/CVE-2024-57929.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fdd1315aa5f022fe6574efdc2d9535f75a0ee255
Fixed
9c7c03d0e926762adf3a3a0ba86156fb5e19538b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fdd1315aa5f022fe6574efdc2d9535f75a0ee255
Fixed
fc1ef07c3522e257e32702954f265debbcb096a7
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fdd1315aa5f022fe6574efdc2d9535f75a0ee255
Fixed
738994872d77e189b2d13c501a1d145e95d98f46
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fdd1315aa5f022fe6574efdc2d9535f75a0ee255
Fixed
e477021d252c007f0c6d45b5d13d341efed03979
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fdd1315aa5f022fe6574efdc2d9535f75a0ee255
Fixed
6002bec5354f86d1a2df21468f68e3ec03ede9da
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fdd1315aa5f022fe6574efdc2d9535f75a0ee255
Fixed
017c4470bff53585370028fec9341247bad358ff
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fdd1315aa5f022fe6574efdc2d9535f75a0ee255
Fixed
f2893c0804d86230ffb8f1c8703fdbb18648abc8

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.9.0
Fixed
5.4.290
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.234
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.177
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.125
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.72
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.10