CVE-2024-47736 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
erofs: handle overlapped pclusters out of crafted images properly
syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os.
After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below:
Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ...
Here, extent 0/1 are physically overlapped although it's entirely _impossible_ for normal filesystem images generated by mkfs.
First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges z_erofs_fill_bio_vec() and BIO submission which causes unexpected BIO waits.
Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness.
Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up `struct z_erofs_bvec`") for simplicity although it shouldn't be any difference.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability described in CVE-2024-47736 affects the Linux kernel's erofs (erofs filesystem) implementation and represents a critical issue related to improper handling of overlapped physical clusters in crafted filesystem images. This flaw manifests as a task hang condition resulting from a deadlock scenario where a process waits indefinitely for a folio lock associated with a cached folio that will be utilized for cache input/output operations. The issue was identified through syzbot's automated fuzzing system which detected the problematic behavior when processing malformed filesystem images.
The technical root cause of this vulnerability lies in how the erofs filesystem handles compressed data clusters that overlap physically within the filesystem image. Specifically, the vulnerability occurs when multiple physical clusters overlap in ways that are impossible in normal filesystem generation using standard tools like mkfs. The problematic image structure shows extents that are physically overlapped while maintaining logical separation, creating a scenario where the kernel's compressed I/O handling becomes corrupted. The implementation fails to properly manage the sequence of operations in z_erofs_fill_bio_vec() function and BIO (Block I/O) submission, causing unexpected wait conditions when physical blocks are not processed in incremental order.
The operational impact of this vulnerability is significant as it can lead to complete system hangs or denial of service conditions when the kernel attempts to process maliciously crafted filesystem images. The vulnerability specifically affects the management of managed folios that contain compressed data, which are marked as up-to-date and immediately unlocked upon completion of compressed I/O operations. However, when physical blocks are not submitted in the correct order, the system experiences dependency issues that result in deadlock conditions. This represents a classic case of improper resource management and synchronization that can be exploited by attackers to cause system instability.
The fix for this vulnerability involves implementing proper fallback mechanisms for handling overlapped physical clusters, which only occur in fuzzed or maliciously crafted images. The solution requires reverting certain aspects of a previous commit (2080ca1ed3e4) that modified the z_erofs_bvec structure to simplify the implementation and ensure correctness. Additionally, the implementation now falls back to using temporary short-lived pages when overlapped big pclusters are detected, which prevents the complex inter-query connections that would otherwise cause issues. This approach aligns with security best practices for robust kernel implementation and follows the principle of least privilege by avoiding complex state management for malformed inputs. The vulnerability demonstrates the importance of proper input validation and resource management in kernel space, and it highlights how fuzzing tools can uncover critical edge cases that may not be apparent through normal testing procedures. This issue represents a Category 3 vulnerability under CWE classification related to improper handling of overlapping memory regions, and it could be mapped to ATT&CK technique T1499.001 for resource exhaustion through system hangs and T1059.001 for potential exploitation through kernel code execution paths.