{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: fix double brelse() the buffer of the extents path", "id" : "2320462", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320462" }, "cvss3" : { "cvss3_base_score" : "6.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-415", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix double brelse() the buffer of the extents path\nIn ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been\nreleased, otherwise it may be released twice. An example of what triggers\nthis is as follows:\nsplit2 map split1\n|--------|-------|--------|\next4_ext_map_blocks\next4_ext_handle_unwritten_extents\next4_split_convert_extents\n// path->p_depth == 0\next4_split_extent\n// 1. do split1\next4_split_extent_at\n|ext4_ext_insert_extent\n| ext4_ext_create_new_leaf\n| ext4_ext_grow_indepth\n| le16_add_cpu(&neh->eh_depth, 1)\n| ext4_find_extent\n| // return -ENOMEM\n|// get error and try zeroout\n|path = ext4_find_extent\n| path->p_depth = 1\n|ext4_ext_try_to_merge\n| ext4_ext_try_to_merge_up\n| path->p_depth = 0\n| brelse(path[1].p_bh) ---> not set to NULL here\n|// zeroout success\n// 2. update path\next4_find_extent\n// 3. do split2\next4_split_extent_at\next4_ext_insert_extent\next4_ext_create_new_leaf\next4_ext_grow_indepth\nle16_add_cpu(&neh->eh_depth, 1)\next4_find_extent\npath[0].p_bh = NULL;\npath->p_depth = 1\nread_extent_tree_block ---> return err\n// path[1].p_bh is still the old value\next4_free_ext_path\next4_ext_drop_refs\n// path->p_depth == 1\nbrelse(path[1].p_bh) ---> brelse a buffer twice\nFinally got the following WARRNING when removing the buffer from lru:\n============================================\nVFS: brelse: Trying to free free buffer\nWARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90\nCPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716\nRIP: 0010:__brelse+0x58/0x90\nCall Trace:\n\n__find_get_block+0x6e7/0x810\nbdev_getblk+0x2b/0x480\n__ext4_get_inode_loc+0x48a/0x1240\next4_get_inode_loc+0xb2/0x150\next4_reserve_inode_write+0xb7/0x230\n__ext4_mark_inode_dirty+0x144/0x6a0\next4_ext_insert_extent+0x9c8/0x3230\next4_ext_map_blocks+0xf45/0x2dc0\next4_map_blocks+0x724/0x1700\next4_do_writepages+0x12d6/0x2a70\n[...]\n============================================" ], "statement" : "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-49882\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49882\nhttps://lore.kernel.org/linux-cve-announce/2024102116-CVE-2024-49882-4169@gregkh/T" ], "name" : "CVE-2024-49882", "csaw" : false }