CVE-2024-57929
Published: 19 January 2025
Summary
CVE-2024-57929 is a high-severity Operation on a Resource after Expiration or Release (CWE-672) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching of the Linux kernel flaw remediates the invalid pointer caching and double release in dm_array_cursor_end() triggered by dm_bm_read_lock() failures.
Robust error handling prevents caching and subsequent use of invalid dm_block pointers after checksum or locking failures in device-mapper array operations.
System memory protection mechanisms mitigate double-free vulnerabilities in kernel dm-bufio by detecting invalid memory accesses during cache_put().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel vulnerability triggers double-free/BUG leading to system crash, directly enabling Endpoint DoS via system exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid…
more
output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>
Deeper analysisAI
CVE-2024-57929 is a vulnerability in the Linux kernel's device-mapper (dm) array module, specifically affecting the dm_array_cursor_end() function. When dm_bm_read_lock() fails due to locking or checksum errors—such as on a faulty array block—it implicitly releases the block while leaving an invalid pointer. The dm_array_cursor incorrectly caches this invalid dm_block pointer, leading to a double release during dm_array_cursor_end() and triggering a BUG_ON() in the dm-bufio cache_put() at drivers/md/dm-bufio.c:638. This issue manifests in dm-cache metadata operations, as demonstrated by reproducer steps involving initialization of a cache device, offline wiping of a specific array block, and reopening the device.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) in a local scope (AV:L/S:U). By corrupting specific metadata blocks, such as the second array block in a dm-cache setup, the attacker triggers the faulty read, invalid pointer caching, and subsequent double release. This results in a kernel BUG and system crash, achieving high availability impact (A:H) and high confidentiality impact (C:H) per the CVSS 3.1 score of 7.1, with no integrity impact (I:N) and mapping to CWE-672.
The referenced kernel stable commits provide the fix by setting the cached block pointer to NULL upon errors in dm_bm_read_lock() failures, preventing the double release. These patches are available at git.kernel.org/stable for backported kernels: 017c4470bff5, 6002bec5354f, 738994872d77, 9c7c03d0e926, and e477021d252c. The fix can be verified using the dm-unit test "array_cursor/damaged".
No real-world exploitation is reported, and the vulnerability is verifiable via provided reproducer steps or dm-unit testing on affected kernels.
Details
- CWE(s)