7.1
HIGH
CVE-2024-50250
Linux Kernel Fsdax Data Integrity Corrupting Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: fsdax: dax_unshare_iter needs to copy entire blocks The code that copies data from srcmap to iomap in dax_unshare_iter is very very broken, which bfoster's recent fsx changes have exposed. If the pos and len passed to dax_file_unshare are not aligned to an fsblock boundary, the iter pos and length in the _iter function will reflect this unalignment. dax_iomap_direct_access always returns a pointer to the start of the kmapped fsdax page, even if its pos argument is in the middle of that page. This is catastrophic for data integrity when iter->pos is not aligned to a page, because daddr/saddr do not point to the same byte in the file as iter->pos. Hence we corrupt user data by copying it to the wrong place. If iter->pos + iomap_length() in the _iter function not aligned to a page, then we fail to copy a full block, and only partially populate the destination block. This is catastrophic for data confidentiality because we expose stale pmem contents. Fix both of these issues by aligning copy_pos/copy_len to a page boundary (remember, this is fsdax so 1 fsblock == 1 base page) so that we always copy full blocks. We're not done yet -- there's no call to invalidate_inode_pages2_range, so programs that have the file range mmap'd will continue accessing the old memory mapping after the file metadata updates have completed. Be careful with the return value -- if the unshare succeeds, we still need to return the number of bytes that the iomap iter thinks we're operating on.

INFO

Published Date :

Nov. 9, 2024, 11:15 a.m.

Last Modified :

Nov. 14, 2024, 5:04 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.2

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-50250 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-50250.

URL Resource
https://git.kernel.org/stable/c/50793801fc7f6d08def48754fb0f0706b0cfc394 Patch
https://git.kernel.org/stable/c/8e9c0f500b42216ef930f5c0d1703989a451913d Patch
https://git.kernel.org/stable/c/9bc18bb476e50e32e5d08f2734d63d63e0fa528c Patch
https://git.kernel.org/stable/c/bdbc96c23197d773a7d1bf03e4f11de593b0ff28 Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-50250 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-50250 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Nov. 14, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
    Changed Reference Type https://git.kernel.org/stable/c/50793801fc7f6d08def48754fb0f0706b0cfc394 No Types Assigned https://git.kernel.org/stable/c/50793801fc7f6d08def48754fb0f0706b0cfc394 Patch
    Changed Reference Type https://git.kernel.org/stable/c/8e9c0f500b42216ef930f5c0d1703989a451913d No Types Assigned https://git.kernel.org/stable/c/8e9c0f500b42216ef930f5c0d1703989a451913d Patch
    Changed Reference Type https://git.kernel.org/stable/c/9bc18bb476e50e32e5d08f2734d63d63e0fa528c No Types Assigned https://git.kernel.org/stable/c/9bc18bb476e50e32e5d08f2734d63d63e0fa528c Patch
    Changed Reference Type https://git.kernel.org/stable/c/bdbc96c23197d773a7d1bf03e4f11de593b0ff28 No Types Assigned https://git.kernel.org/stable/c/bdbc96c23197d773a7d1bf03e4f11de593b0ff28 Patch
    Added CWE NIST NVD-CWE-noinfo
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.113 up to (excluding) 6.1.116 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.60 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.11.7 *cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 09, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: fsdax: dax_unshare_iter needs to copy entire blocks The code that copies data from srcmap to iomap in dax_unshare_iter is very very broken, which bfoster's recent fsx changes have exposed. If the pos and len passed to dax_file_unshare are not aligned to an fsblock boundary, the iter pos and length in the _iter function will reflect this unalignment. dax_iomap_direct_access always returns a pointer to the start of the kmapped fsdax page, even if its pos argument is in the middle of that page. This is catastrophic for data integrity when iter->pos is not aligned to a page, because daddr/saddr do not point to the same byte in the file as iter->pos. Hence we corrupt user data by copying it to the wrong place. If iter->pos + iomap_length() in the _iter function not aligned to a page, then we fail to copy a full block, and only partially populate the destination block. This is catastrophic for data confidentiality because we expose stale pmem contents. Fix both of these issues by aligning copy_pos/copy_len to a page boundary (remember, this is fsdax so 1 fsblock == 1 base page) so that we always copy full blocks. We're not done yet -- there's no call to invalidate_inode_pages2_range, so programs that have the file range mmap'd will continue accessing the old memory mapping after the file metadata updates have completed. Be careful with the return value -- if the unshare succeeds, we still need to return the number of bytes that the iomap iter thinks we're operating on.
    Added Reference kernel.org https://git.kernel.org/stable/c/bdbc96c23197d773a7d1bf03e4f11de593b0ff28 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/9bc18bb476e50e32e5d08f2734d63d63e0fa528c [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/8e9c0f500b42216ef930f5c0d1703989a451913d [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/50793801fc7f6d08def48754fb0f0706b0cfc394 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-50250 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-50250 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: