CVE-2024-39472: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39472 is a vulnerability in the Linux kernel's XFS filesystem log recovery mechanism. The issue was discovered when a fix for incorrect h_size values in old xfsprogs versions inadvertently introduced a potential out-of-bounds access vulnerability. This vulnerability affects Linux kernel versions up to 6.9.3 (NVD).

The vulnerability stems from a regression introduced by commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") which cleaned up the log recovery buffer calculation but stopped using the fixed up hsize value to size the log recovery buffer. This could lead to an out-of-bounds access when the incorrect hsize does not come from the old mkfs tool but from a fuzzer. The issue has been assigned a CVSS v3.1 base score of 5.5 MEDIUM with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in an out-of-bounds access during XFS filesystem log recovery operations, potentially leading to system instability or denial of service. The issue affects local system availability but does not impact confidentiality or integrity (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that properly handles the hsize value during log recovery buffer allocation. The fix involves open coding xloglogrechblks and taking the fixed hsize into account for buffer calculation. Updates are available through various Linux distributions, including Red Hat Enterprise Linux (Red Hat Advisory).