CVE-2024-50279 in Linuxinfo

Summary

by MITRE • 11/19/2024

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix out-of-bounds access to the dirty bitset when resizing

dm-cache checks the dirty bits of the cache blocks to be dropped when shrinking the fast device, but an index bug in bitset iteration causes out-of-bounds access.

Reproduce steps:

1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. shrink the fast device to 512 cache blocks, triggering out-of-bounds access to the dirty bitset (offset 0x80)

dmsetup suspend cache dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192" dmsetup resume cdata dmsetup resume cache

KASAN reports:

BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0 Read of size 8 at addr ffffc900000f3080 by task dmsetup/131

(...snip...) The buggy address belongs to the virtual mapping at [ffffc900000f3000, ffffc900000f5000) created by:
cache_ctr+0x176a/0x35f0

(...snip...) Memory state around the buggy address: ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fix by making the index post-incremented.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 10/02/2025

The vulnerability CVE-2024-50279 represents a critical out-of-bounds memory access flaw within the Linux kernel's device mapper cache subsystem. This issue specifically affects the dm-cache module which manages caching operations for block devices through the device mapper framework. The vulnerability manifests when attempting to resize a cache device by shrinking the fast device, triggering an improper iteration over the dirty bitset that governs cache block states. The flaw stems from a classic indexing error in the bitset traversal logic where the index variable is incremented post-operation instead of pre-operation, leading to access beyond the allocated memory boundaries. This type of vulnerability falls under CWE-129 Input Validation and OWASP Top Ten category A03: Injection, as it involves improper handling of memory access patterns during dynamic resource management. The device mapper cache subsystem operates at a low level within the kernel, making such vulnerabilities particularly dangerous as they can lead to system instability, data corruption, or potential privilege escalation attacks.

The technical implementation of this vulnerability occurs during the cache_preresume function when the system attempts to check dirty bits of cache blocks that are being removed during device resizing operations. The dirty bitset, which tracks which cache blocks contain modified data, is allocated with a specific size based on the number of cache blocks. In the reproduction case, a cache device is initialized with 1024 blocks, resulting in a 128-byte dirty bitset. When the fast device is shrunk to 512 cache blocks, the code attempts to iterate through the bitset to determine which blocks are dirty, but due to the incorrect index handling, it accesses memory at offset 0x80, which exceeds the allocated 128-byte boundary. This results in a virtual memory access violation that KASAN (Kernel Address Sanitizer) detects, reporting a vmalloc-out-of-bounds error. The memory layout shows that the access occurs at address ffffc900000f3080, which is 128 bytes beyond the allocated bitset region, confirming the out-of-bounds access pattern. This behavior aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, as such memory corruption vulnerabilities can be leveraged to execute arbitrary code with kernel privileges.

The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling attackers to exploit the memory corruption for more sophisticated attacks. When the cache device is resized, the kernel's memory management system becomes compromised, leading to potential data loss or system instability. The vulnerability specifically affects systems running Linux kernels with device mapper cache functionality, particularly those managing large storage volumes or systems with dynamic storage allocation requirements. The fix implemented addresses the root cause by changing the bitset iteration logic to use pre-incremented indices rather than post-incremented ones, ensuring that all memory accesses remain within the allocated bounds. This modification directly addresses the underlying issue identified through KASAN analysis and prevents the access violation that would otherwise occur during cache device resizing operations. Organizations should prioritize applying this kernel patch, especially in production environments where device mapper cache is actively used, as the vulnerability can be triggered through normal cache management operations and may not require special privileges to exploit. The fix demonstrates the importance of careful index management in kernel code and proper bounds checking when dealing with dynamically sized data structures, particularly in subsystems that handle critical system resources like storage caching.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00262

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!