Bug 2338193 (CVE-2024-57892) - CVE-2024-57892 kernel: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
Summary: CVE-2024-57892 kernel: ocfs2: fix slab-use-after-free due to dangling pointer...
Keywords:
Status: NEW
Alias: CVE-2024-57892
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-15 14:02 UTC by OSIDB Bzimport
Modified: 2025-01-28 13:24 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-01-15 14:02:22 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

When mounting ocfs2 and then remounting it as read-only, a
slab-use-after-free occurs after the user uses a syscall to
quota_getnextquota.  Specifically, sb_dqinfo(sb, type)->dqi_priv is the
dangling pointer.

During the remounting process, the pointer dqi_priv is freed but is never
set as null leaving it to be accessed.  Additionally, the read-only option
for remounting sets the DQUOT_SUSPENDED flag instead of setting the
DQUOT_USAGE_ENABLED flags.  Moreover, later in the process of getting the
next quota, the function ocfs2_get_next_id is called and only checks the
quota usage flags and not the quota suspended flags.

To fix this, I set dqi_priv to null when it is freed after remounting with
read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.

[akpm: coding-style cleanups]
Comment 1 Mauro Matteo Cascella 2025-01-15 14:19:59 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025011513-CVE-2024-57892-6d53@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.