CVE-2024-57929

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74

Description A vulnerability in the Linux kernel has been resolved, specifically in the dm array, where a faulty array block could be released twice in dm array cursor end. This occurs when dm bm read lock() fails due to locking or checksum errors, releasing the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm bm read lock() should not operate on this invalid dm block pointer, or it will lead to undefined results. For example, the dm array cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm array cursor end(), then hitting the BUG ON in dm-bufio cache put().

The issue can be reproduced by initializing a cache device, wiping the second array block offline, and then trying to reopen the cache device. Kernel logs show errors such as device-mapper: array: array block check failed and kernel BUG at drivers/md/dm-bufio.c:638. The fix involves setting the cached block pointer to NULL on errors.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider disabling the dm array cursor end() function until a patch is available. Restrict access to the vulnerable dm bm read lock() function to minimize the risk of exploitation. Avoid using the dm block pointer in the affected API endpoint until the issue is resolved.