high
7.1
Advisory Published
Updated

CVE-2024-50250: fsdax: dax_unshare_iter needs to copy entire blocks

First published: Sat Nov 09 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: fsdax: dax_unshare_iter needs to copy entire blocks The code that copies data from srcmap to iomap in dax_unshare_iter is very very broken, which bfoster's recent fsx changes have exposed. If the pos and len passed to dax_file_unshare are not aligned to an fsblock boundary, the iter pos and length in the _iter function will reflect this unalignment. dax_iomap_direct_access always returns a pointer to the start of the kmapped fsdax page, even if its pos argument is in the middle of that page. This is catastrophic for data integrity when iter->pos is not aligned to a page, because daddr/saddr do not point to the same byte in the file as iter->pos. Hence we corrupt user data by copying it to the wrong place. If iter->pos + iomap_length() in the _iter function not aligned to a page, then we fail to copy a full block, and only partially populate the destination block. This is catastrophic for data confidentiality because we expose stale pmem contents. Fix both of these issues by aligning copy_pos/copy_len to a page boundary (remember, this is fsdax so 1 fsblock == 1 base page) so that we always copy full blocks. We're not done yet -- there's no call to invalidate_inode_pages2_range, so programs that have the file range mmap'd will continue accessing the old memory mapping after the file metadata updates have completed. Be careful with the return value -- if the unshare succeeds, we still need to return the number of bytes that the iomap iter thinks we're operating on.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux Kernel>=6.1.113<6.1.116
Linux Kernel>=6.2<6.6.60
Linux Kernel>=6.7<6.11.7
Linux Kernel=6.12-rc1
Linux Kernel=6.12-rc2
Linux Kernel=6.12-rc3
Linux Kernel=6.12-rc4
Linux Kernel=6.12-rc5
debian/linux
5.10.223-1
5.10.234-1
6.1.129-1
6.1.133-1
6.12.21-1
6.12.22-1
debian/linux-6.1
6.1.129-1~deb11u1

Remedy

https://git.kernel.org/stable/c/50793801fc7f6d08def48754fb0f0706b0cfc394

Remedy

https://git.kernel.org/stable/c/8e9c0f500b42216ef930f5c0d1703989a451913d

Remedy

https://git.kernel.org/stable/c/9bc18bb476e50e32e5d08f2734d63d63e0fa528c

Remedy

https://git.kernel.org/stable/c/bdbc96c23197d773a7d1bf03e4f11de593b0ff28

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-50250?

    CVE-2024-50250 has a high severity due to its impact on data integrity in the Linux kernel.

  • How do I fix CVE-2024-50250?

    To fix CVE-2024-50250, update your Linux kernel to a version that has patched the vulnerability.

  • Which versions of the Linux kernel are affected by CVE-2024-50250?

    CVE-2024-50250 affects specific versions of the Linux kernel, including from 6.1.113 to 6.1.116 and various versions from 6.2 to 6.12-rc5.

  • What components does CVE-2024-50250 specific impact?

    CVE-2024-50250 specifically impacts the fsdax subsystem within the Linux kernel.

  • What type of vulnerability is CVE-2024-50250?

    CVE-2024-50250 is an integrity vulnerability that arises from broken data copying mechanisms within the Linux kernel.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203