DEBIAN-CVE-2024-44941

Source
https://security-tracker.debian.org/tracker/CVE-2024-44941
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-44941.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-44941
Upstream
Published
2024-08-26T12:15:06Z
Modified
2025-09-19T06:19:46Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to cover read extent cache access with lock syzbot reports a f2fs bug as below: BUG: KASAN: slab-use-after-free in sanitycheckextentcache+0x370/0x410 fs/f2fs/extentcache.c:46 Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097 CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:114 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 sanitycheckextentcache+0x370/0x410 fs/f2fs/extentcache.c:46 doreadinode fs/f2fs/inode.c:509 [inline] f2fsiget+0x33e1/0x46e0 fs/f2fs/inode.c:560 f2fsnfsgetinode+0x74/0x100 fs/f2fs/super.c:3237 genericfhtodentry+0x9f/0xf0 fs/libfs.c:1413 exportfsdecodefhraw+0x152/0x5f0 fs/exportfs/expfs.c:444 exportfsdecodefh+0x3c/0x80 fs/exportfs/expfs.c:584 dohandletopath fs/fhandle.c:155 [inline] handletopath fs/fhandle.c:210 [inline] dohandleopen+0x495/0x650 fs/fhandle.c:226 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf5/0x240 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f We missed to cover sanitycheckextentcache() w/ extent cache lock, so, below race case may happen, result in use after free issue. - f2fsiget - doreadinode - f2fsinitreadextenttree : add largest extent entry in to cache - shrink - f2fsshrinkreadextenttree - _shrinkextenttree - _detachextentnode : drop largest extent entry - sanitycheckextentcache : access et->largest w/o lock let's refactor sanitycheckextentcache() to avoid extent cache access and call it before f2fsinitreadextent_tree() to fix this issue.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.10.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.10.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}