CVE-2024-50279: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50279 is a vulnerability discovered in the Linux kernel's dm-cache subsystem, specifically affecting the dirty bitset access when resizing cache devices. The vulnerability was disclosed on November 18, 2024, and affects Linux kernel versions from 3.13 up to versions before 6.11.8. The issue occurs in the device mapper cache implementation when checking dirty bits of cache blocks during fast device shrinking operations (NVD).

The vulnerability is an out-of-bounds access issue in the dm-cache component when resizing the cache device. The bug occurs due to an index bug in bitset iteration that causes out-of-bounds access to the dirty bitset. When shrinking the fast device, dm-cache checks the dirty bits of the cache blocks to be dropped, but the incorrect index handling leads to accessing memory outside the allocated bounds. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability can lead to out-of-bounds memory access, potentially causing information disclosure or system crashes. When exploited, it allows reading memory outside the allocated bounds of the dirty bitset buffer, which could expose sensitive kernel memory contents. The issue is particularly concerning as it affects the device mapper cache functionality, a core component of Linux storage management (Kernel Patch).

The vulnerability has been fixed by modifying the index increment operation in the dm-cache code. The fix involves changing the position of the index increment operation to prevent the out-of-bounds access. Users should update their Linux kernel to versions that include the fix. The patch has been backported to multiple stable kernel versions (Kernel Patch).