CVE-2024-42079
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).
Analysis
This is a null pointer dereference vulnerability in the Linux kernel's GFS2 (Global File System 2) subsystem that occurs during the log flush operation when a race condition exists between glock work and filesystem unmount. An unprivileged local attacker can trigger this vulnerability to cause a kernel panic and denial of service by timing glock operations to race with unmount, exploiting the fact that sdp->sd_jdesc is dereferenced without null checks. The vulnerability has patches available from the Linux kernel development team across multiple stable branches, and while the EPSS score is very low (0.05%), the impact is a complete system availability disruption through kernel crash.
Technical Context
The vulnerability exists in the GFS2 filesystem implementation, a shared-disk cluster filesystem used in Linux (CPE: cpe:2.3:o:linux:linux_kernel). The root cause is classified as CWE-476 (NULL Pointer Dereference) combined with a race condition in the gfs2_log_flush() function. The issue arises from inadequate synchronization between gfs2_jindex_free() which deallocates the journal index descriptor (sdp->sd_jdesc) and gfs2_log_flush() which may attempt to dereference it. The kernel's glock (Global Lock) subsystem triggers inode_go_sync() during lock transitions, which invokes gfs2_log_flush(). Without proper locking mechanisms and null checks, concurrent execution of unmount operations (setting sdp->sd_jdesc to NULL) and glock work (dereferencing sdp->sd_jdesc) creates a classic use-after-free/null-dereference window. The fix involves setting sdp->sd_jdesc to NULL under the log flush lock to provide mutual exclusion and adding explicit null pointer checks before dereferencing.
Affected Products
All versions of the Linux kernel implementing the GFS2 filesystem are affected, as identified by the CPE cpe:2.3:o:linux:linux_kernel. The vulnerability impacts the kernel's GFS2 subsystem across all currently maintained stable kernel branches (4.19, 5.4, 5.10, 5.15, 6.1, 6.4, and later as evidenced by the seven distinct patch commits). There is no specific version number range provided in the CVE description, indicating the vulnerability affects a broad spectrum of kernel releases containing the vulnerable code path. Organizations using GFS2 for clustered storage should upgrade their kernel to versions containing the patches identified in the kernel.org stable tree references.
Remediation
Apply the kernel security patch immediately by updating the Linux kernel to a version containing one of the fixes committed at git.kernel.org/stable with commit hashes 3429ef5f50909cee9e498c50f0c499b9397116ce, 35264909e9d1973ab9aaa2a1b07cda70f12bb828, 5f6a84cfb33b34610623857bd93919dcb661e29b, c3c5cfa3170c0940bc66a142859caac07d19b9d6, or f54f9d5368a4e92ede7dd078a62788dae3a7c6ef. For enterprise systems, work with your distribution vendor (Red Hat, Canonical, SUSE, Debian) to obtain backported kernels through their respective security channels. Until patching is feasible, minimize the risk by avoiding unmount operations on GFS2 filesystems during periods of active I/O and glock contention; however, this is not a reliable mitigation and patching should be prioritized. For clusters, perform rolling kernel updates to ensure high availability while patches are deployed.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today