CVE-2024-57929

High

Published: 19 January 2025

Published

19 January 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0002 6.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>

Security Summary

CVE-2024-57929 is a vulnerability in the Linux kernel's device-mapper (dm) array module, specifically affecting the dm_array_cursor_end() function. When dm_bm_read_lock() fails due to locking or checksum errors—such as on a faulty array block—it implicitly releases the block while leaving an invalid pointer. The dm_array_cursor incorrectly caches this invalid dm_block pointer, leading to a double release during dm_array_cursor_end() and triggering a BUG_ON() in the dm-bufio cache_put() at drivers/md/dm-bufio.c:638. This issue manifests in dm-cache metadata operations, as demonstrated by reproducer steps involving initialization of a cache device, offline wiping of a specific array block, and reopening the device.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in a local scope (AV:L/S:U). By corrupting specific metadata blocks, such as the second array block in a dm-cache setup, the attacker triggers the faulty read, invalid pointer caching, and subsequent double release. This results in a kernel BUG and system crash, achieving high availability impact (A:H) and high confidentiality impact (C:H) per the CVSS 3.1 score of 7.1, with no integrity impact (I:N) and mapping to CWE-672.

The referenced kernel stable commits provide the fix by setting the cached block pointer to NULL upon errors in dm_bm_read_lock() failures, preventing the double release. These patches are available at git.kernel.org/stable for backported kernels: 017c4470bff5, 6002bec5354f, 738994872d77, 9c7c03d0e926, and e477021d252c. The fix can be verified using the dm-unit test "array_cursor/damaged".

No real-world exploitation is reported, and the vulnerability is verifiable via provided reproducer steps or dm-unit testing on affected kernels.

Details

CWE(s): CWE-672

Affected Products

linux

linux kernel

6.13 · 4.9 — 5.4.290 · 5.5 — 5.10.234 · 5.11 — 5.15.177

References

https://git.kernel.org/stable/c/017c4470bff53585370028fec9341247bad358ff
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6002bec5354f86d1a2df21468f68e3ec03ede9da
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/738994872d77e189b2d13c501a1d145e95d98f46
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9c7c03d0e926762adf3a3a0ba86156fb5e19538b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e477021d252c007f0c6d45b5d13d341efed03979
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f2893c0804d86230ffb8f1c8703fdbb18648abc8
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fc1ef07c3522e257e32702954f265debbcb096a7
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
af854a3a-2127-422b-91ae-364da2661108