CVE-2024-57929: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>
AI Analysis
Technical Summary
CVE-2024-57929 is a vulnerability identified in the Linux kernel's device-mapper (dm) subsystem, specifically within the dm_array module that manages array blocks in cache metadata. The flaw arises when the function dm_bm_read_lock() encounters locking or checksum errors while reading a block. In such failure cases, dm_bm_read_lock() implicitly releases the faulty block but leaves behind an invalid pointer to the dm_block structure. Subsequent code, such as dm_array_cursor, incorrectly caches this invalid pointer and attempts to operate on it. This leads to a double release of the same memory block during dm_array_cursor_end(), triggering a kernel BUG_ON assertion failure in dm-bufio's cache_put() function. The vulnerability can cause kernel crashes (denial of service) due to the double free and invalid pointer dereference. The issue is reproducible by manipulating cache devices with dmsetup commands and corrupting specific array blocks on the underlying storage device, as demonstrated in the provided repro steps. The root cause is improper error handling and pointer management in the device-mapper's array cursor logic. The fix involves setting the cached block pointer to NULL upon error conditions to prevent use-after-free and double free scenarios. This vulnerability affects Linux kernel versions containing the specified commit hashes and pertains to the device-mapper cache feature, which is used for block-level caching of storage devices to improve performance. Although no CVSS score is assigned yet, the vulnerability is significant due to its potential to cause kernel panics and system instability. There are no known exploits in the wild at this time.
Potential Impact
For European organizations relying on Linux systems with device-mapper cache functionality enabled—commonly found in enterprise servers, storage appliances, and virtualization hosts—this vulnerability poses a risk of denial-of-service through kernel crashes. Such crashes can lead to unplanned downtime, data unavailability, and potential disruption of critical services. In environments where high availability and data integrity are paramount, such as financial institutions, healthcare providers, and government agencies, this could impact operational continuity and compliance with service-level agreements. Although the vulnerability does not directly enable privilege escalation or remote code execution, the induced kernel panic could be leveraged by attackers with local access to disrupt systems or cause cascading failures in clustered or virtualized environments. The complexity of reproducing the issue suggests exploitation requires local access and specific conditions, limiting widespread exploitation but still representing a serious stability risk. Additionally, recovery from kernel panics may require manual intervention, increasing operational overhead and incident response costs.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-57929 once available. Until patches are deployed, administrators should consider disabling device-mapper cache features on critical systems if feasible, to eliminate exposure. Monitoring kernel logs for error messages related to dm_array and dm-bufio can help detect attempts to trigger this vulnerability. Implement strict access controls to limit local user permissions, reducing the risk of an attacker triggering the fault. Regularly audit and verify the integrity of storage devices and cache metadata to detect corruption early. For environments using dmsetup and device-mapper cache extensively, incorporate automated testing similar to the dm-unit "array_cursor/damaged" test to validate system stability after updates or configuration changes. Finally, maintain robust backup and recovery procedures to minimize downtime in case of kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-57929: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dm_array_cursor_end When dm_bm_read_lock() fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller of dm_bm_read_lock() should not operate on this invalid dm_block pointer, or it will lead to undefined result. For example, the dm_array_cursor incorrectly caches the invalid pointer on reading a faulty array block, causing a double release in dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). Reproduce steps: 1. initialize a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. wipe the second array block offline dmsteup remove cache cmeta cdata corig mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try reopen the cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc $262144" dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 device-mapper: block manager: array validator check failed for block 10 device-mapper: array: get_ablock failed device-mapper: cache metadata: dm_array_cursor_next for mapping failed ------------[ cut here ]------------ kernel BUG at drivers/md/dm-bufio.c:638! Fix by setting the cached block pointer to NULL on errors. In addition to the reproducer described above, this fix can be verified using the "array_cursor/damaged" test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>
AI-Powered Analysis
Technical Analysis
CVE-2024-57929 is a vulnerability identified in the Linux kernel's device-mapper (dm) subsystem, specifically within the dm_array module that manages array blocks in cache metadata. The flaw arises when the function dm_bm_read_lock() encounters locking or checksum errors while reading a block. In such failure cases, dm_bm_read_lock() implicitly releases the faulty block but leaves behind an invalid pointer to the dm_block structure. Subsequent code, such as dm_array_cursor, incorrectly caches this invalid pointer and attempts to operate on it. This leads to a double release of the same memory block during dm_array_cursor_end(), triggering a kernel BUG_ON assertion failure in dm-bufio's cache_put() function. The vulnerability can cause kernel crashes (denial of service) due to the double free and invalid pointer dereference. The issue is reproducible by manipulating cache devices with dmsetup commands and corrupting specific array blocks on the underlying storage device, as demonstrated in the provided repro steps. The root cause is improper error handling and pointer management in the device-mapper's array cursor logic. The fix involves setting the cached block pointer to NULL upon error conditions to prevent use-after-free and double free scenarios. This vulnerability affects Linux kernel versions containing the specified commit hashes and pertains to the device-mapper cache feature, which is used for block-level caching of storage devices to improve performance. Although no CVSS score is assigned yet, the vulnerability is significant due to its potential to cause kernel panics and system instability. There are no known exploits in the wild at this time.
Potential Impact
For European organizations relying on Linux systems with device-mapper cache functionality enabled—commonly found in enterprise servers, storage appliances, and virtualization hosts—this vulnerability poses a risk of denial-of-service through kernel crashes. Such crashes can lead to unplanned downtime, data unavailability, and potential disruption of critical services. In environments where high availability and data integrity are paramount, such as financial institutions, healthcare providers, and government agencies, this could impact operational continuity and compliance with service-level agreements. Although the vulnerability does not directly enable privilege escalation or remote code execution, the induced kernel panic could be leveraged by attackers with local access to disrupt systems or cause cascading failures in clustered or virtualized environments. The complexity of reproducing the issue suggests exploitation requires local access and specific conditions, limiting widespread exploitation but still representing a serious stability risk. Additionally, recovery from kernel panics may require manual intervention, increasing operational overhead and incident response costs.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-57929 once available. Until patches are deployed, administrators should consider disabling device-mapper cache features on critical systems if feasible, to eliminate exposure. Monitoring kernel logs for error messages related to dm_array and dm-bufio can help detect attempts to trigger this vulnerability. Implement strict access controls to limit local user permissions, reducing the risk of an attacker triggering the fault. Regularly audit and verify the integrity of storage devices and cache metadata to detect corruption early. For environments using dmsetup and device-mapper cache extensively, incorporate automated testing similar to the dm-unit "array_cursor/damaged" test to validate system stability after updates or configuration changes. Finally, maintain robust backup and recovery procedures to minimize downtime in case of kernel crashes.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-19T11:50:08.376Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdeaa9
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:10:14 AM
Last updated: 8/17/2025, 10:49:33 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.