CVE-2024-57929

Summary

In the Linux kernel, the following vulnerability has been resolved:

dm array: fix releasing a faulty array block twice in dm_array_cursor_end

When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().

Reproduce steps:

  1. initialize a cache device

dmsetup create cmeta –table "0 8192 linear /dev/sdc 0" dmsetup create cdata –table "0 65536 linear /dev/sdc 8192" dmsetup create corig –table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache –table "0 524288 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

  1. wipe the second array block offline

dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192
2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056))
2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock

  1. try reopen the cache device

dmsetup create cmeta –table "0 8192 linear /dev/sdc 0" dmsetup create cdata –table "0 65536 linear /dev/sdc 8192" dmsetup create corig –table "0 524288 linear /dev/sdc $262144" dmsetup create cache –table "0 524288 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

Kernel logs:

(snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ————[ cut here ]———— kernel BUG at drivers/md/dm-bufio.c:638!

Fix by setting the cached block pointer to NULL on errors.

In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged –kernel-dir <KERNEL_DIR>

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxfdd1315aa5f022fe6574efdc2d9535f75a0ee255 < 9c7c03d0e926762adf3a3a0ba86156fb5e19538baffected
LinuxLinuxfdd1315aa5f022fe6574efdc2d9535f75a0ee255 < fc1ef07c3522e257e32702954f265debbcb096a7affected
LinuxLinuxfdd1315aa5f022fe6574efdc2d9535f75a0ee255 < 738994872d77e189b2d13c501a1d145e95d98f46affected
LinuxLinuxfdd1315aa5f022fe6574efdc2d9535f75a0ee255 < e477021d252c007f0c6d45b5d13d341efed03979affected
LinuxLinuxfdd1315aa5f022fe6574efdc2d9535f75a0ee255 < 6002bec5354f86d1a2df21468f68e3ec03ede9daaffected
LinuxLinuxfdd1315aa5f022fe6574efdc2d9535f75a0ee255 < 017c4470bff53585370028fec9341247bad358ffaffected
LinuxLinuxfdd1315aa5f022fe6574efdc2d9535f75a0ee255 < f2893c0804d86230ffb8f1c8703fdbb18648abc8affected
LinuxLinux4.9affected
LinuxLinux0 < 4.9unaffected
LinuxLinux5.4.290 <= 5.4.*unaffected
LinuxLinux5.10.234 <= 5.10.*unaffected
LinuxLinux5.15.177 <= 5.15.*unaffected
LinuxLinux6.1.125 <= 6.1.*unaffected
LinuxLinux6.6.72 <= 6.6.*unaffected
LinuxLinux6.12.10 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

Additional References

References