UBUNTU-CVE-2024-47736

Advisory lineage Upstream: 1 Downstream: 12

Upstream

CVE-2024-47736

Downstream

USN-7310-1 USN-7513-1 USN-7513-2 USN-7513-3 USN-7513-4 USN-7513-5

Published: 21 Oct 2024, 13:15

Last modified:03 Jun 2026, 13:38

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

3.1 (osv_ubuntu)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 Oct 2024, 13:15

Published

Vulnerability first disclosed

03 Jun 2026, 13:38

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: erofs: handle overlapped pclusters out of crafted images properly syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os. After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below: Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ... Here, extent 0/1 are physically overlapped although it's entirely _impossible_ for normal filesystem images generated by mkfs. First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges z_erofs_fill_bio_vec() and BIO submission which causes unexpected BIO waits. Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness. Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up `struct z_erofs_bvec`") for simplicity although it shouldn't be any difference.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Systems

ubuntu•linux
all | < 6.8.0-60.63
ubuntu•linux-allwinner-5.19
all
ubuntu•linux-aws
all | < 6.8.0-1029.31
ubuntu•linux-aws-5.0
all
ubuntu•linux-aws-5.11
all
ubuntu•linux-aws-5.13
all
ubuntu•linux-aws-5.15
all
ubuntu•linux-aws-5.19
all
ubuntu•linux-aws-5.3
all
ubuntu•linux-aws-5.8
all
ubuntu•linux-aws-6.2
all
ubuntu•linux-aws-6.5
all
ubuntu•linux-aws-6.8
< 6.8.0-1029.31~22.04.1
ubuntu•linux-aws-fips
all
ubuntu•linux-azure
all | all | < 6.8.0-1029.34
ubuntu•linux-azure-5.11
all
ubuntu•linux-azure-5.13
all
ubuntu•linux-azure-5.15
all
ubuntu•linux-azure-5.19
all
ubuntu•linux-azure-5.3
all
ubuntu•linux-azure-5.8
all
ubuntu•linux-azure-6.11
< 6.11.0-1012.12~24.04.1
ubuntu•linux-azure-6.2
all
ubuntu•linux-azure-6.5
all
ubuntu•linux-azure-6.8
< 6.8.0-1029.34~22.04.1
ubuntu•linux-azure-edge
all
ubuntu•linux-azure-fde
all | all
ubuntu•linux-azure-fde-5.19
all
ubuntu•linux-azure-fde-6.2
all
ubuntu•linux-azure-fips
all
ubuntu•linux-azure-nvidia
< 6.8.0-1016.17
ubuntu•linux-bluefield
all | all
ubuntu•linux-fips
all | < 6.8.0-78.78+fips1
ubuntu•linux-gcp
all | all | < 6.8.0-1030.32
ubuntu•linux-gcp-5.11
all
ubuntu•linux-gcp-5.13
all
ubuntu•linux-gcp-5.15
all
ubuntu•linux-gcp-5.19
all
ubuntu•linux-gcp-5.3
all
ubuntu•linux-gcp-5.8
all
ubuntu•linux-gcp-6.11
< 6.11.0-1011.11~24.04.1
ubuntu•linux-gcp-6.2
all
ubuntu•linux-gcp-6.5
all
ubuntu•linux-gcp-6.8
< 6.8.0-1030.32~22.04.1
ubuntu•linux-gcp-fips
all
ubuntu•linux-gke
all | all | < 6.8.0-1025.29
ubuntu•linux-gke-4.15
all
ubuntu•linux-gke-5.15
all
ubuntu•linux-gke-5.4
all
ubuntu•linux-gkeop
all | < 6.8.0-1012.14

Showing first 50 affected entries in server-rendered view.