CVE-2024-38570
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's GFS2 filesystem implementation. During filesystem unmount, glock objects could be accessed after being freed, potentially leading to kernel crashes or privilege escalation. Systems using GFS2 filesystems with affected kernel versions are vulnerable.
💻 Affected Systems
- Linux kernel with GFS2 filesystem support
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential privilege escalation to root via kernel memory corruption.
Likely Case
System instability or crash during GFS2 filesystem unmount operations.
If Mitigated
No impact if GFS2 filesystems are not in use or system is patched.
🎯 Exploit Status
Requires local access and ability to trigger GFS2 unmount operations. No public exploit code known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 0636b34b44589b142700ac137b5f69802cfe2e37, 501cd8fabf621d10bd4893e37f6ce6c20523c8ca, d98779e687726d8f8860f1c54b5687eec5f63a73, e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0
Vendor Advisory: https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable GFS2 filesystem usage
linuxAvoid using GFS2 filesystems on affected systems
# Check for GFS2 mounts: mount | grep gfs2
# Unmount any GFS2 filesystems: umount /path/to/gfs2/mount
🧯 If You Can't Patch
- Avoid unmounting GFS2 filesystems on affected systems
- Restrict local access to systems with GFS2 filesystems
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if GFS2 filesystems are mounted: uname -r && mount | grep gfs2Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and no longer vulnerable: uname -r | compare with fixed versions📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- GFS2 unmount errors in system logs
- Use-after-free kernel messages
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("panic" OR "use-after-free" OR "GFS2" OR "glock")🔗 References
- https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37
- https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca
- https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73
- https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0
- https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37
- https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca
- https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73
- https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0
