CVE-2024-39276: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix mbcacheentry's erefcnt leak in ext4xattrblockcachefind()
Syzbot reports a warning as follows:
============================================ WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mbcachedestroy+0x224/0x290 Modules linked in: CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7 RIP: 0010:mbcachedestroy+0x224/0x290 fs/mbcache.c:419 Call Trace: ext4putsuper+0x6d4/0xcd0 fs/ext4/super.c:1375 genericshutdownsuper+0x136/0x2d0 fs/super.c:641 killblocksuper+0x44/0x90 fs/super.c:1675 ext4killsb+0x68/0xa0 fs/ext4/super.c:7327 [...] ============================================
This is because when finding an entry in ext4xattrblockcachefind(), if ext4sbbread() returns -ENOMEM, the ce's erefcnt, which has already grown in the entryfind(), won't be put away, and eventually trigger the above issue in mbcachedestroy() due to reference count leakage.
So call mbcacheentryput() on the -ENOMEM error branch as a quick fix.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix mbcacheentry's erefcnt leak in ext4xattrblockcachefind()
Syzbot reports a warning as follows:
============================================ WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mbcachedestroy+0x224/0x290 Modules linked in: CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7 RIP: 0010:mbcachedestroy+0x224/0x290 fs/mbcache.c:419 Call Trace: <TASK> ext4putsuper+0x6d4/0xcd0 fs/ext4/super.c:1375 genericshutdownsuper+0x136/0x2d0 fs/super.c:641 killblocksuper+0x44/0x90 fs/super.c:1675 ext4killsb+0x68/0xa0 fs/ext4/super.c:7327 [...] ============================================
This is because when finding an entry in ext4xattrblockcachefind(), if ext4sbbread() returns -ENOMEM, the ce's erefcnt, which has already grown in the entryfind(), won't be put away, and eventually trigger the above issue in mbcachedestroy() due to reference count leakage.
So call mbcacheentryput() on the -ENOMEM error branch as a quick fix.
— NVD
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix mbcacheentry's erefcnt leak in ext4xattrblockcachefind()
The Linux kernel CVE team has assigned CVE-2024-39276 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024062548-CVE-2024-39276-5205@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-39276?
CVE-2024-39276 is classified as a medium severity vulnerability in the Linux kernel due to the potential for an e_refcnt leak.
How do I fix CVE-2024-39276?
To fix CVE-2024-39276, upgrade to the recommended versions of the Linux kernel which include patches for this vulnerability.
What systems are affected by CVE-2024-39276?
CVE-2024-39276 affects various versions of the Linux kernel including specific versions from Red Hat and Debian distributions.
Is there a workaround for CVE-2024-39276?
There are no known workarounds for CVE-2024-39276; the recommended action is to apply the kernel updates provided.
What are the impacts of CVE-2024-39276 if left unpatched?
If left unpatched, CVE-2024-39276 could potentially lead to data integrity issues due to the e_refcnt leak in the ext4 file system.