5.5
MEDIUM
CVE-2024-49881
"Linux Kernel ext4 NULL Pointer Dereference"
Description

In the Linux kernel, the following vulnerability has been resolved: ext4: update orig_path in ext4_find_extent() In ext4_find_extent(), if the path is not big enough, we free it and set *orig_path to NULL. But after reallocating and successfully initializing the path, we don't update *orig_path, in which case the caller gets a valid path but a NULL ppath, and this may cause a NULL pointer dereference or a path memory leak. For example: ext4_split_extent path = *ppath = 2000 ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path = 2000); *orig_path = path = NULL; path = kcalloc() = 3000 ext4_split_extent_at(*ppath = NULL) path = *ppath; ex = path[depth].p_ext; // NULL pointer dereference! ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847 RIP: 0010:ext4_split_extent_at+0x6d/0x560 Call Trace: <TASK> ext4_split_extent.isra.0+0xcb/0x1b0 ext4_ext_convert_to_initialized+0x168/0x6c0 ext4_ext_handle_unwritten_extents+0x325/0x4d0 ext4_ext_map_blocks+0x520/0xdb0 ext4_map_blocks+0x2b0/0x690 ext4_iomap_begin+0x20e/0x2c0 [...] ================================================================== Therefore, *orig_path is updated when the extent lookup succeeds, so that the caller can safely use path or *ppath.

INFO

Published Date :

Oct. 21, 2024, 6:15 p.m.

Last Modified :

Nov. 8, 2024, 4:15 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-49881 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-49881 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-49881 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 08, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://git.kernel.org/stable/c/ec0c0beb9b777cdd1edd7df9b36e0f3e67e2bdff [No types assigned]
  • Initial Analysis by [email protected]

    Oct. 25, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Changed Reference Type https://git.kernel.org/stable/c/11b230100d6801c014fab2afabc8bdea304c1b96 No Types Assigned https://git.kernel.org/stable/c/11b230100d6801c014fab2afabc8bdea304c1b96 Patch
    Changed Reference Type https://git.kernel.org/stable/c/5b4b2dcace35f618fe361a87bae6f0d13af31bc1 No Types Assigned https://git.kernel.org/stable/c/5b4b2dcace35f618fe361a87bae6f0d13af31bc1 Patch
    Changed Reference Type https://git.kernel.org/stable/c/6766937d0327000ac1b87c97bbecdd28b0dd6599 No Types Assigned https://git.kernel.org/stable/c/6766937d0327000ac1b87c97bbecdd28b0dd6599 Patch
    Changed Reference Type https://git.kernel.org/stable/c/6801ed1298204d16a38571091e31178bfdc3c679 No Types Assigned https://git.kernel.org/stable/c/6801ed1298204d16a38571091e31178bfdc3c679 Patch
    Changed Reference Type https://git.kernel.org/stable/c/a9fcb1717d75061d3653ed69365c8d45331815cd No Types Assigned https://git.kernel.org/stable/c/a9fcb1717d75061d3653ed69365c8d45331815cd Patch
    Changed Reference Type https://git.kernel.org/stable/c/b63481b3a388ee2df9e295f97273226140422a42 No Types Assigned https://git.kernel.org/stable/c/b63481b3a388ee2df9e295f97273226140422a42 Patch
    Changed Reference Type https://git.kernel.org/stable/c/f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2 No Types Assigned https://git.kernel.org/stable/c/f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2 Patch
    Added CWE NIST CWE-476
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.18 up to (excluding) 5.10.227 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.168 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.113 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.55 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.14 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.11 up to (excluding) 6.11.3
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Oct. 21, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: ext4: update orig_path in ext4_find_extent() In ext4_find_extent(), if the path is not big enough, we free it and set *orig_path to NULL. But after reallocating and successfully initializing the path, we don't update *orig_path, in which case the caller gets a valid path but a NULL ppath, and this may cause a NULL pointer dereference or a path memory leak. For example: ext4_split_extent path = *ppath = 2000 ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path = 2000); *orig_path = path = NULL; path = kcalloc() = 3000 ext4_split_extent_at(*ppath = NULL) path = *ppath; ex = path[depth].p_ext; // NULL pointer dereference! ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847 RIP: 0010:ext4_split_extent_at+0x6d/0x560 Call Trace: <TASK> ext4_split_extent.isra.0+0xcb/0x1b0 ext4_ext_convert_to_initialized+0x168/0x6c0 ext4_ext_handle_unwritten_extents+0x325/0x4d0 ext4_ext_map_blocks+0x520/0xdb0 ext4_map_blocks+0x2b0/0x690 ext4_iomap_begin+0x20e/0x2c0 [...] ================================================================== Therefore, *orig_path is updated when the extent lookup succeeds, so that the caller can safely use path or *ppath.
    Added Reference kernel.org https://git.kernel.org/stable/c/6766937d0327000ac1b87c97bbecdd28b0dd6599 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a9fcb1717d75061d3653ed69365c8d45331815cd [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/6801ed1298204d16a38571091e31178bfdc3c679 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/b63481b3a388ee2df9e295f97273226140422a42 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/11b230100d6801c014fab2afabc8bdea304c1b96 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/5b4b2dcace35f618fe361a87bae6f0d13af31bc1 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-49881 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-49881 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability