CVE-2024-57892

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74

Description A slab-use-after-free issue occurs in the Linux kernel when mounting ocfs2 and then remounting it as read-only. This happens after the user uses a syscall to quota getnextquota. The issue is caused by a dangling pointer dqi priv in sb dqinfo(sb, type). During the remounting process, the pointer dqi priv is freed but not set to null, allowing it to be accessed. The read-only option for remounting sets the DQUOT SUSPENDED flag instead of the DQUOT USAGE ENABLED flags. Later, in the process of getting the next quota, the function ocfs2 get next id is called, which only checks the quota usage flags and not the quota suspended flags.

Recommendations To resolve this issue, update to Linux kernel version 6.6.74 or later. As a temporary workaround, consider disabling the ocfs2 filesystem until a patch is available. Restrict access to the quota getnextquota syscall to minimize the risk of exploitation. Avoid using the dqi priv pointer in the affected code until the issue is resolved.