CVE-2024-42300
📋 TL;DR
A race condition vulnerability in the Linux kernel's EROFS filesystem driver allows a local attacker to trigger a kernel panic (denial of service) by exploiting timing issues in buffer management during decompression. This affects systems using EROFS with the z_erofs compression backend. Only local users with filesystem access can trigger this issue.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
Local denial of service through kernel panic when specific decompression operations are performed concurrently.
If Mitigated
Minimal impact if EROFS is not used or if systems have proper access controls limiting local user privileges.
🎯 Exploit Status
Exploitation requires local access and specific timing conditions during decompression operations. Found during stress testing rather than real-world exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 49b22e06a947727a6d1c802d2d9ad92420b90fc5 and 7dc5537c3f8be87e005f0844a7626c987914f8fd
Vendor Advisory: https://git.kernel.org/stable/c/49b22e06a947727a6d1c802d2d9ad92420b90fc5
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for backported patches. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable EROFS usage
linuxAvoid using EROFS filesystem with z_erofs compression to prevent triggering the vulnerability
Restrict local user access
linuxLimit which users can access EROFS filesystems or perform decompression operations
🧯 If You Can't Patch
- Monitor for kernel panic events related to erofs in system logs
- Implement strict access controls to limit which users can interact with EROFS filesystems
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if EROFS is in use: 'uname -r' and check /proc/filesystems or mount output for erofsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and check that stress tests with EROFS decompression no longer cause kernel panics📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages containing 'erofs' or 'z_erofs'
- BUG at fs/erofs/zutil.c in kernel logs
- Call traces involving z_erofs_put_gbuf or z_erofs_lz4_decompress
SIEM Query:
source="kernel" AND ("erofs" OR "z_erofs" OR "BUG at fs/erofs/zutil.c")