CVE-2024-47736: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2024-47736) was discovered in the EROFS (Enhanced Read-Only File System) implementation. The issue was identified when syzbot reported a task hang due to a deadlock condition where it waits for the folio lock of a cached folio that will be used for cache I/Os. The vulnerability affects Linux kernel versions from 5.13 up to (excluding) 6.10.13 and from 6.11 up to (excluding) 6.11.2 (NVD).

The vulnerability occurs when handling overlapped pclusters in crafted images. The issue manifests when physically overlapped big pclusters are present in the filesystem image, such as when extent 0 and 1 share physical space, which is impossible in normal filesystem images generated by mkfs. The code incorrectly handles the arrangement of zerofsfillbiovec() and BIO submission, leading to unexpected BIO waits. Additionally, managed folios containing compressed data are marked as up-to-date and unlocked immediately when compressed I/Os are complete, but the code fails to properly handle cases where physical blocks are not submitted in incremental order (Kernel Patch).

The vulnerability can result in a task hang due to deadlock conditions in the filesystem, potentially affecting system stability and performance. The issue specifically impacts systems using the EROFS filesystem with certain configurations (NVD).

The issue has been fixed in Linux kernel versions 6.10.13 and 6.11.2. The patch implements a fallback to temporary short-lived pages for correctness when handling overlapped big pclusters in crafted images. The fix also includes modifications to handle cache I/O operations properly and prevents potential deadlock conditions (Kernel Patch).