{"uuid": "62dbab47-9ca4-438f-aa5f-e58d7618fba6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-50278", "type": "published-proof-of-concept", "source": "https://t.me/cvedetector/11428", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-50278 - \"linux kernel dm cache out-of-bounds access\"\", \n  \"Content\": \"CVE ID : CVE-2024-50278 \nPublished : Nov. 19, 2024, 2:16 a.m. | 41\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \ndm cache: fix potential out-of-bounds access on the first resume  \n  \nOut-of-bounds access occurs if the fast device is expanded unexpectedly  \nbefore the first-time resume of the cache table. This happens because  \nexpanding the fast device requires reloading the cache table for  \ncache_create to allocate new in-core data structures that fit the new  \nsize, and the check in cache_preresume is not performed during the  \nfirst resume, leading to the issue.  \n  \nReproduce steps:  \n  \n1. prepare component devices:  \n  \ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"  \ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"  \ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"  \ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct  \n  \n2. load a cache table of 512 cache blocks, and deliberately expand the  \n   fast device before resuming the cache, making the in-core data  \n   structures inadequate.  \n  \ndmsetup create cache --notable  \ndmsetup reload cache --table \"0 524288 cache /dev/mapper/cmeta \\  \n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"  \ndmsetup reload cdata --table \"0 131072 linear /dev/sdc 8192\"  \ndmsetup resume cdata  \ndmsetup resume cache  \n  \n3. suspend the cache to write out the in-core dirty bitset and hint  \n   array, leading to out-of-bounds access to the dirty bitset at offset  \n   0x40:  \n  \ndmsetup suspend cache  \n  \nKASAN reports:  \n  \n  BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80  \n  Read of size 8 at addr ffffc90000085040 by task dmsetup/90  \n  \n  (...snip...)  \n  The buggy address belongs to the virtual mapping at  \n   [ffffc90000085000, ffffc90000087000) created by:  \n   cache_ctr+0x176a/0x35f0  \n  \n  (...snip...)  \n  Memory state around the buggy address:  \n   ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  \n   ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  \n  >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8  \n                                             ^  \n   ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  \n   ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  \n  \nFix by checking the size change on the first resume. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"19 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-19T04:16:10.000000Z"}