{"uuid": "0aa2c6ad-feaf-43b6-b142-85de34064dff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57929", "type": "published-proof-of-concept", "source": "https://t.me/cvedetector/15844", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-57929 - Linux Device-Mapper Array Buffer\u00edo Buffer Overwrite\", \n  \"Content\": \"CVE ID : CVE-2024-57929 \nPublished : Jan. 19, 2025, 12:15 p.m. | 36\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \ndm array: fix releasing a faulty array block twice in dm_array_cursor_end  \n  \nWhen dm_bm_read_lock() fails due to locking or checksum errors, it  \nreleases the faulty block implicitly while leaving an invalid output  \npointer behind. The caller of dm_bm_read_lock() should not operate on  \nthis invalid dm_block pointer, or it will lead to undefined result.  \nFor example, the dm_array_cursor incorrectly caches the invalid pointer  \non reading a faulty array block, causing a double release in  \ndm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().  \n  \nReproduce steps:  \n  \n1. initialize a cache device  \n  \ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"  \ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"  \ndmsetup create corig --table \"0 524288 linear /dev/sdc $262144\"  \ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1  \ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\  \n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"  \n  \n2. wipe the second array block offline  \n  \ndmsteup remove cache cmeta cdata corig  \nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\  \n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')  \nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\  \n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')  \ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock  \n  \n3. try reopen the cache device  \n  \ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"  \ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"  \ndmsetup create corig --table \"0 524288 linear /dev/sdc $262144\"  \ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\  \n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"  \n  \nKernel logs:  \n  \n(snip)  \ndevice-mapper: array: array_block_check failed: blocknr 0 != wanted 10  \ndevice-mapper: block manager: array validator check failed for block 10  \ndevice-mapper: array: get_ablock failed  \ndevice-mapper: cache metadata: dm_array_cursor_next for mapping failed  \n------------[ cut here ]------------  \nkernel BUG at drivers/md/dm-bufio.c:638!  \n  \nFix by setting the cached block pointer to NULL on errors.  \n  \nIn addition to the reproducer described above, this fix can be  \nverified using the \"array_cursor/damaged\" test in dm-unit:  \n  dm-unit run /pdata/array_cursor/damaged --kernel-dir \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"19 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-19T13:58:16.000000Z"}