CVE-2024-41013

{"id": "CVE-2024-41013", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2024-07-29T07:15:05.430", "references": [{"url": "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0932e4f9da85349d1c8f2a77d2a7a7163b8511d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca96d83c93071f95cf962ce92406621a472df31b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: xfs: no salga del final de un bloque de datos de directorio. Esto agrega controles de sanitizaci\u00f3n para xfs_dir2_data_unused y xfs_dir2_data_entry para asegurarse de que no se desv\u00eden m\u00e1s all\u00e1 de la regi\u00f3n de memoria v\u00e1lida. Antes de parchear, el bucle simplemente verifica que el desplazamiento inicial de dup y dep est\u00e9 dentro del rango. Entonces, en una imagen manipulada, si la \u00faltima entrada es xfs_dir2_data_unused, podemos cambiar dup->length a dup->length-1 y dejar 1 byte de espacio. En el pr\u00f3ximo recorrido, este espacio se considerar\u00e1 dup o dep. Es posible que nos encontremos con una lectura fuera de los l\u00edmites al acceder a los miembros fijos. En el parche, nos aseguramos de que los bytes restantes sean lo suficientemente grandes como para contener una entrada no utilizada antes de acceder a xfs_dir2_data_unused y xfs_dir2_data_unused est\u00e9n alineados con los bytes XFS_DIR2_DATA_ALIGN. Tambi\u00e9n nos aseguramos de que los bytes restantes sean lo suficientemente grandes como para contener un directorio con un nombre de un solo byte antes de acceder a xfs_dir2_data_entry."}], "lastModified": "2025-09-25T20:08:08.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20240234-C43A-430F-93FD-8F52CD666DE5", "versionEndExcluding": "6.1.142"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74BA9823-CCED-4B24-815D-B82543954BF8", "versionEndExcluding": "6.6.68", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0AFF4B3-FB61-4841-BE39-C5786A46BBA0", "versionEndExcluding": "6.11", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}