CVE-2024-49933 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

blk_iocost: fix more out of bound shifts

Recently running UBSAN caught few out of bound shifts in the ioc_forgive_debts() function:

UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... Call Trace:

dump_stack_lvl+0xca/0x130 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 ? __lock_acquire+0x6441/0x7c10 ioc_timer_fn+0x6cec/0x7750 ? blk_iocost_init+0x720/0x720 ? call_timer_fn+0x5d/0x470 call_timer_fn+0xfa/0x470 ? blk_iocost_init+0x720/0x720 __run_timer_base+0x519/0x700 ...

Actual impact of this issue was not identified but I propose to fix the undefined behaviour. The proposed fix to prevent those out of bound shifts consist of precalculating exponent before using it the shift operations by taking min value from the actual exponent and maximum possible number of bits.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/18/2026

The vulnerability CVE-2024-49933 addresses a critical out-of-bounds shift operation within the Linux kernel's block I/O cost control subsystem, specifically in the blk_iocost module. This issue manifests as undefined behavior through UBSAN (Undefined Behavior Sanitizer) warnings indicating that shift exponents of 80 bits exceed the maximum allowable size for 64-bit unsigned long long integers. The problem occurs in the ioc_forgive_debts() function at lines 2142 and 2144 of the block/blk-iocost.c source file, where the kernel attempts to perform bit shifting operations that exceed the data type's capacity.

The technical flaw stems from improper validation of shift exponent values before their application in bitwise operations. When the kernel processes I/O cost calculations for block devices, it computes certain values that may result in excessively large shift operations. The underlying issue is that the code does not enforce bounds checking on the shift exponent values, allowing them to exceed the maximum number of bits available in the target data type. This creates a scenario where the compiler generates undefined behavior, potentially leading to memory corruption or system instability. The vulnerability aligns with CWE-758: Reliance on Undefined Behavior and represents a classic example of improper integer handling in kernel space.

The operational impact of this vulnerability extends beyond simple undefined behavior, as it could potentially be exploited to cause system crashes or more serious security implications through memory corruption. While the actual exploitation vector has not been identified, the presence of undefined behavior in kernel code creates potential attack surfaces for sophisticated adversaries who might leverage such flaws in combination with other vulnerabilities. The call trace shows the issue originates from timer functions within the I/O cost control subsystem, suggesting that regular I/O operations could trigger this condition during normal system operation. This makes the vulnerability particularly concerning as it could affect system stability during routine operations.

The proposed fix implements a defensive programming approach by pre-calculating shift exponents and taking the minimum value between the actual computed exponent and the maximum possible bits for the target data type. This mitigation strategy prevents the out-of-bounds condition by ensuring that shift operations remain within the valid range of the underlying data type. The solution follows established security practices for preventing integer overflow conditions and aligns with ATT&CK technique T1070.004 (Path Interception) by ensuring proper bounds checking in system-critical kernel components. The fix represents a minimal but effective change that maintains the intended functionality while eliminating the undefined behavior. This approach is consistent with kernel security best practices that emphasize defensive programming and the principle of least privilege in system-level code execution.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00241

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!