{"id":"CVE-2024-49884","summary":"ext4: fix slab-use-after-free in ext4_split_extent_at()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-use-after-free in ext4_split_extent_at()\n\nWe hit the following use-after-free:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0\nRead of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40\nCPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724\nCall Trace:\n \u003cTASK\u003e\n kasan_report+0x93/0xc0\n ext4_split_extent_at+0xba8/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nAllocated by task 40:\n __kmalloc_noprof+0x1ac/0x480\n ext4_find_extent+0xf3b/0x1e70\n ext4_ext_map_blocks+0x188/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nFreed by task 40:\n kfree+0xf1/0x2b0\n ext4_find_extent+0xa71/0x1e70\n ext4_ext_insert_extent+0xa22/0x3260\n ext4_split_extent_at+0x3ef/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\next4_split_extent_at\n  path = *ppath\n  ext4_ext_insert_extent(ppath)\n    ext4_ext_create_new_leaf(ppath)\n      ext4_find_extent(orig_path)\n        path = *orig_path\n        read_extent_tree_block\n          // return -ENOMEM or -EIO\n        ext4_free_ext_path(path)\n          kfree(path)\n        *orig_path = NULL\n  a. If err is -ENOMEM:\n  ext4_ext_dirty(path + path-\u003ep_depth)\n  // path use-after-free !!!\n  b. If err is -EIO and we have EXT_DEBUG defined:\n  ext4_ext_show_leaf(path)\n    eh = path[depth].p_hdr\n    // path also use-after-free !!!\n\nSo when trying to zeroout or fix the extent length, call ext4_find_extent()\nto update the path.\n\nIn addition we use *ppath directly as an ext4_ext_show_leaf() input to\navoid possible use-after-free when EXT_DEBUG is defined, and to avoid\nunnecessary path updates.","modified":"2026-04-02T12:21:04.821320Z","published":"2024-10-21T18:01:21.517Z","related":["MGASA-2024-0344","MGASA-2024-0345","SUSE-SU-2024:4314-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4367-1","SUSE-SU-2024:4376-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0035-1","SUSE-SU-2025:0117-1","SUSE-SU-2025:0153-1","SUSE-SU-2025:0154-1","SUSE-SU-2025:0289-1","SUSE-SU-2025:0784-1","SUSE-SU-2025:0834-1","SUSE-SU-2025:0847-1","SUSE-SU-2025:0856-1","SUSE-SU-2025:0955-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49884.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade"},{"type":"WEB","url":"https://git.kernel.org/stable/c/448100a29395b0c8b4c42967155849fe0fbe808f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49884.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49884"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"dfe5080939ea4686b3414b5d970a9b26733c57a4"},{"fixed":"393a46f60ea4f249dc9d496d4eb2d542f5e11ade"},{"fixed":"448100a29395b0c8b4c42967155849fe0fbe808f"},{"fixed":"e52f933598b781d291b9297e39c463536da0e185"},{"fixed":"cafcc1bd62934547c76abf46c6d0d54f135006fe"},{"fixed":"a5401d4c3e2a3d25643c567d26e6de327774a2c9"},{"fixed":"8fe117790b37c84c651e2bad9efc0e7fda73c0e3"},{"fixed":"5d949ea75bb529ea6342e83465938a3b0ac51238"},{"fixed":"915ac3630488af0ca194dc63b86d99802b4f6e18"},{"fixed":"c26ab35702f8cd0cdc78f96aa5856bfb77be798f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49884.json"}}],"schema_version":"1.7.5"}