{"uuid": "108806e9-a7f8-4919-accf-30c67652314b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-43898", "type": "seen", "source": "https://t.me/cvedetector/4128", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-43898 - Linux Kernel Cisco Memory Corruption Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-43898 \nPublished : Aug. 26, 2024, 11:15 a.m. | 21\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \next4: sanity check for NULL pointer after ext4_force_shutdown  \n  \nTest case: 2 threads write short inline data to a file.  \nIn ext4_page_mkwrite the resulting inline data is converted.  \nHandling ext4_grp_locked_error with description \"block bitmap  \nand bg descriptor inconsistent: X vs Y free clusters\" calls  \next4_force_shutdown. The conversion clears  \nEXT4_STATE_MAY_INLINE_DATA but fails for  \next4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due  \nto ext4_forced_shutdown. The restoration of inline data fails  \nfor the same reason not setting EXT4_STATE_MAY_INLINE_DATA.  \nWithout the flag set a regular process path in ext4_da_write_end  \nfollows trying to dereference page folio private pointer that has  \nnot been set. The fix calls early return with -EIO error shall the  \npointer to private be NULL.  \n  \nSample crash report:  \n  \nUnable to handle kernel paging request at virtual address dfff800000000004  \nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]  \nMem abort info:  \n  ESR = 0x0000000096000005  \n  EC = 0x25: DABT (current EL), IL = 32 bits  \n  SET = 0, FnV = 0  \n  EA = 0, S1PTW = 0  \n  FSC = 0x05: level 1 translation fault  \nData abort info:  \n  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000  \n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0  \n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0  \n[dfff800000000004] address between user and kernel address ranges  \nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP  \nModules linked in:  \nCPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0  \nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024  \npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)  \npc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167  \nlr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160  \nsp : ffff8000a1957600  \nx29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0  \nx26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000  \nx23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020  \nx20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196  \nx17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0  \nx14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000  \nx11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000  \nx8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000  \nx5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020  \nx2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0  \nCall trace:  \n __block_commit_write+0x64/0x2b0 fs/buffer.c:2167  \n block_write_end+0xb4/0x104 fs/buffer.c:2253  \n ext4_da_do_write_end fs/ext4/inode.c:2955 [inline]  \n ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028  \n generic_perform_write+0x394/0x588 mm/filemap.c:3985  \n ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299  \n ext4_file_write_iter+0x188/0x1780  \n call_write_iter include/linux/fs.h:2110 [inline]  \n new_sync_write fs/read_write.c:497 [inline]  \n vfs_write+0x968/0xc3c fs/read_write.c:590  \n ksys_write+0x15c/0x26c fs/read_write.c:643  \n __do_sys_write fs/read_write.c:655 [inline]  \n __se_sys_write fs/read_write.c:652 [inline]  \n __arm64_sys_write+0x7c/0x90 fs/read_write.c:652  \n __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]  \n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48  \n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133  \n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152  \n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712  \n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730  \n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598  \nCode: 97f85911 f94002da 91008356 d343fec8 (38796908)  \n---[ end trace [...]", "creation_timestamp": "2024-08-26T13:42:59.000000Z"}