1. Home
  2. Vulnerabilities
  3. CVE-2024-42305
5.5
MEDIUM CVSS 3.1
CVE-2024-42305
ext4: check dot and dotdot of dx_root before making dir indexed
Description

In the Linux kernel, the following vulnerability has been resolved: ext4: check dot and dotdot of dx_root before making dir indexed Syzbot reports a issue as follows: ============================================ BUG: unable to handle page fault for address: ffffed11022e24fe PGD 23ffee067 P4D 23ffee067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0 Call Trace: <TASK> make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451 ext4_rename fs/ext4/namei.c:3936 [inline] ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214 [...] ============================================ The immediate cause of this problem is that there is only one valid dentry for the block to be split during do_split, so split==0 results in out of bounds accesses to the map triggering the issue. do_split unsigned split dx_make_map count = 1 split = count/2 = 0; continued = hash2 == map[split - 1].hash; ---> map[4294967295] The maximum length of a filename is 255 and the minimum block size is 1024, so it is always guaranteed that the number of entries is greater than or equal to 2 when do_split() is called. But syzbot's crafted image has no dot and dotdot in dir, and the dentry distribution in dirblock is as follows: bus dentry1 hole dentry2 free |xx--|xx-------------|...............|xx-------------|...............| 0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024 So when renaming dentry1 increases its name_len length by 1, neither hole nor free is sufficient to hold the new dentry, and make_indexed_dir() is called. In make_indexed_dir() it is assumed that the first two entries of the dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root because they are treated as dot and dotdot, and only dentry2 is moved to the new leaf block. That's why count is equal to 1. Therefore add the ext4_check_dx_root() helper function to add more sanity checks to dot and dotdot before starting the conversion to avoid the above issue.

INFO

Published Date :

Aug. 17, 2024, 9:15 a.m.

Last Modified :

Nov. 3, 2025, 10:17 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2024-42305 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM [email protected]
Solution
Update the Linux kernel packages to address the ext4 dot handling vulnerability.
  • Update the affected kernel packages.
  • Reboot the system after the update.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-42305.

URL Resource
https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8 Patch
https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa Patch
https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7 Patch
https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a Patch
https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2 Patch
https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c Patch
https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db Patch
https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5 Patch
https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-42305 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-42305 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-42305 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2024-42305 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 03, 2025

    Action Type Old Value New Value
    Added Reference https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
    Added Reference https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • Initial Analysis by [email protected]

    Sep. 29, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-125
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:2.6.19:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.19:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.19:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.19:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:2.6.19:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.3 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.20 up to (excluding) 4.19.320 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.282 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.224 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.165 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.103 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.44 *cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5 Types: Patch
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Aug. 19, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://git.kernel.org/stable/c/b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/19e13b4d7f0303186fcc891aba8d0de7c8fdbda8 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/42d420517072028fb0eb852c358056b7717ba5aa [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/8afe06ed3be7a874b3cd82ef5f8959aca8d6429a [No types assigned]
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Aug. 17, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: ext4: check dot and dotdot of dx_root before making dir indexed Syzbot reports a issue as follows: ============================================ BUG: unable to handle page fault for address: ffffed11022e24fe PGD 23ffee067 P4D 23ffee067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0 Call Trace: <TASK> make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451 ext4_rename fs/ext4/namei.c:3936 [inline] ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214 [...] ============================================ The immediate cause of this problem is that there is only one valid dentry for the block to be split during do_split, so split==0 results in out of bounds accesses to the map triggering the issue. do_split unsigned split dx_make_map count = 1 split = count/2 = 0; continued = hash2 == map[split - 1].hash; ---> map[4294967295] The maximum length of a filename is 255 and the minimum block size is 1024, so it is always guaranteed that the number of entries is greater than or equal to 2 when do_split() is called. But syzbot's crafted image has no dot and dotdot in dir, and the dentry distribution in dirblock is as follows: bus dentry1 hole dentry2 free |xx--|xx-------------|...............|xx-------------|...............| 0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024 So when renaming dentry1 increases its name_len length by 1, neither hole nor free is sufficient to hold the new dentry, and make_indexed_dir() is called. In make_indexed_dir() it is assumed that the first two entries of the dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root because they are treated as dot and dotdot, and only dentry2 is moved to the new leaf block. That's why count is equal to 1. Therefore add the ext4_check_dx_root() helper function to add more sanity checks to dot and dotdot before starting the conversion to avoid the above issue.
    Added Reference kernel.org https://git.kernel.org/stable/c/abb411ac991810c0bcbe51c2e76d2502bf611b5c [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/9d241b7a39af192d1bb422714a458982c7cc67a2 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/cdd345321699042ece4a9d2e70754d2397d378c5 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/50ea741def587a64e08879ce6c6a30131f7111e7 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 5.5
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact