CVE-2024-50278 in Linux
Summary
by MITRE • 11/19/2024
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix potential out-of-bounds access on the first resume
Out-of-bounds access occurs if the fast device is expanded unexpectedly before the first-time resume of the cache table. This happens because expanding the fast device requires reloading the cache table for cache_create to allocate new in-core data structures that fit the new size, and the check in cache_preresume is not performed during the first resume, leading to the issue.
Reproduce steps:
1. prepare component devices:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
2. load a cache table of 512 cache blocks, and deliberately expand the fast device before resuming the cache, making the in-core data structures inadequate.
dmsetup create cache --notable dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192" dmsetup resume cdata dmsetup resume cache
3. suspend the cache to write out the in-core dirty bitset and hint array, leading to out-of-bounds access to the dirty bitset at offset 0x40:
dmsetup suspend cache
KASAN reports:
BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80 Read of size 8 at addr ffffc90000085040 by task dmsetup/90
(...snip...) The buggy address belongs to the virtual mapping at [ffffc90000085000, ffffc90000087000) created by:
cache_ctr+0x176a/0x35f0
(...snip...) Memory state around the buggy address: ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Fix by checking the size change on the first resume.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/02/2025
The vulnerability described in CVE-2024-50278 affects the Linux kernel's device mapper cache target implementation, specifically during the first resume operation of a cache table. This issue arises from a potential out-of-bounds memory access condition that occurs when the fast device backing the cache is expanded before the initial resume of the cache table. The device mapper cache subsystem manages caching of data between a metadata device, a data device, and an origin device, creating a layered storage abstraction that requires careful synchronization during device state transitions. The flaw manifests when the cache subsystem attempts to handle device expansion events that occur prior to the first resume, leading to a scenario where in-core data structures are insufficiently sized to accommodate the expanded device dimensions.
The technical root cause stems from the cache_preresume function's failure to perform size validation checks during the initial resume phase. When a cache table is first loaded and resumed, the subsystem allocates in-core data structures based on the initial device sizes. However, if the fast device (cdata in the reproduction steps) is expanded through a reload operation before the first resume, the subsequent resume operation does not validate whether the existing in-core structures can accommodate the new device dimensions. This mismatch creates a situation where memory access operations target addresses beyond the allocated virtual memory mappings, resulting in out-of-bounds access violations. The vulnerability specifically affects the dirty bitset and hint array data structures that track cache state information, with KASAN reporting the issue at offset 0x40 in the dirty bitset structure.
The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a critical security flaw that could potentially be exploited to gain unauthorized access to kernel memory or cause system instability. The out-of-bounds access occurs during the cache suspension process when the subsystem attempts to write out dirty bitset information, making this a particularly concerning issue for systems relying on device mapper caching for performance optimization. This vulnerability affects systems using device mapper cache targets, particularly those implementing cache policies with metadata2 writethrough and smq options, and could be exploited in scenarios where dynamic device resizing occurs in cache configurations. The issue is classified under CWE-129 as an improper input validation, specifically related to insufficient bounds checking during memory allocation and access operations.
Mitigation strategies for this vulnerability involve implementing proper size validation checks during the first resume operation of cache tables, ensuring that in-core data structures are appropriately sized before any memory access operations occur. The fix requires modifying the cache_preresume function to verify that device sizes match the allocated data structures, or to reallocate appropriate structures when size changes are detected. System administrators should ensure that all Linux kernel updates are applied promptly, particularly those containing the specific patch addressing this out-of-bounds access condition. Additionally, monitoring for device mapper cache configurations that might be subject to dynamic resizing operations during cache lifecycle management can help identify potentially vulnerable systems. The ATT&CK framework categorizes this vulnerability under T1068 as an exploit for privilege escalation through kernel memory corruption, making it particularly significant for enterprise security postures that rely on device mapper caching for storage performance optimization.