CVE-2024-42300: 
Linux Debian vulnerability analysis and mitigation

A race condition vulnerability was discovered in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation, identified as CVE-2024-42300. The issue occurs in the zerofsgetgbuf() function where a task may be migrated to another CPU between zerofsgbufid() and spin_lock(&gbuf->lock) operations. This vulnerability was discovered through stress testing and affects the kernel's file system functionality (Kernel Git).

The vulnerability stems from a race condition in the EROFS filesystem's buffer management code. When executing zerofsgetgbuf(), there is a window between calling zerofsgbufid() and acquiring the spin lock where task migration can occur, leading to potential memory corruption. The issue manifests as a kernel BUG at fs/erofs/zutil.c:58 during the execution of zerofsput_gbuf(). The vulnerability was confirmed through stress testing on Linux kernel version 6.10.0-rc7+ (Kernel Git).

When triggered, this vulnerability causes a kernel BUG condition, which results in a system crash. This can lead to denial of service conditions, particularly under heavy system load or stress conditions. The issue specifically affects systems using the EROFS filesystem and can be triggered during file operations that involve compressed data decompression (Kernel Git).

The issue has been fixed by adding migratedisable() and migrateenable() calls around the critical section in zerofsgetgbuf() and zerofsputgbuf() functions. The fix prevents task migration during the critical buffer management operations. The patch has been merged into the Linux kernel (Kernel Git).