{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-49884",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-10-21T12:17:06.022Z",
        "datePublished": "2024-10-21T18:01:21.517Z",
        "dateUpdated": "2024-10-22T13:48:50.117Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-10-21T18:01:21.517Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-use-after-free in ext4_split_extent_at()\n\nWe hit the following use-after-free:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0\nRead of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40\nCPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724\nCall Trace:\n <TASK>\n kasan_report+0x93/0xc0\n ext4_split_extent_at+0xba8/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nAllocated by task 40:\n __kmalloc_noprof+0x1ac/0x480\n ext4_find_extent+0xf3b/0x1e70\n ext4_ext_map_blocks+0x188/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nFreed by task 40:\n kfree+0xf1/0x2b0\n ext4_find_extent+0xa71/0x1e70\n ext4_ext_insert_extent+0xa22/0x3260\n ext4_split_extent_at+0x3ef/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\next4_split_extent_at\n  path = *ppath\n  ext4_ext_insert_extent(ppath)\n    ext4_ext_create_new_leaf(ppath)\n      ext4_find_extent(orig_path)\n        path = *orig_path\n        read_extent_tree_block\n          // return -ENOMEM or -EIO\n        ext4_free_ext_path(path)\n          kfree(path)\n        *orig_path = NULL\n  a. If err is -ENOMEM:\n  ext4_ext_dirty(path + path->p_depth)\n  // path use-after-free !!!\n  b. If err is -EIO and we have EXT_DEBUG defined:\n  ext4_ext_show_leaf(path)\n    eh = path[depth].p_hdr\n    // path also use-after-free !!!\n\nSo when trying to zeroout or fix the extent length, call ext4_find_extent()\nto update the path.\n\nIn addition we use *ppath directly as an ext4_ext_show_leaf() input to\navoid possible use-after-free when EXT_DEBUG is defined, and to avoid\nunnecessary path updates."
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/ext4/extents.c"
                    ],
                    "versions": [
                        {
                            "version": "dfe5080939ea",
                            "lessThan": "e52f933598b7",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "dfe5080939ea",
                            "lessThan": "cafcc1bd6293",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "dfe5080939ea",
                            "lessThan": "a5401d4c3e2a",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "dfe5080939ea",
                            "lessThan": "8fe117790b37",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "dfe5080939ea",
                            "lessThan": "5d949ea75bb5",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "dfe5080939ea",
                            "lessThan": "915ac3630488",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "dfe5080939ea",
                            "lessThan": "c26ab35702f8",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/ext4/extents.c"
                    ],
                    "versions": [
                        {
                            "version": "3.18",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "3.18",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.227",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.15.168",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.1.113",
                            "lessThanOrEqual": "6.1.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6.55",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.10.14",
                            "lessThanOrEqual": "6.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.11.3",
                            "lessThanOrEqual": "6.11.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.12-rc1",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185"
                },
                {
                    "url": "https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe"
                },
                {
                    "url": "https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9"
                },
                {
                    "url": "https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3"
                },
                {
                    "url": "https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238"
                },
                {
                    "url": "https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18"
                },
                {
                    "url": "https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f"
                }
            ],
            "title": "ext4: fix slab-use-after-free in ext4_split_extent_at()",
            "x_generator": {
                "engine": "bippy-c9c4e1df01b2"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2024-49884",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-10-22T13:45:15.776351Z"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-10-22T13:48:50.117Z"
                }
            }
        ]
    }
}