CVE-2024-56548
📋 TL;DR
This CVE-2024-56548 is a use-after-free vulnerability in the Linux kernel's HFS+ filesystem driver that occurs when the logical block size of a device changes during operation. It allows local attackers to potentially write out-of-bounds memory, leading to system crashes or kernel memory corruption. This affects systems using HFS+ filesystems, particularly with loop devices where block sizes can be modified.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory corruption leading to system crash, privilege escalation, or arbitrary code execution in kernel context.
Likely Case
System crash or kernel panic when mounting HFS+ filesystems on loop devices with modified block sizes.
If Mitigated
No impact if HFS+ filesystems are not used or loop devices with block size changes are avoided.
🎯 Exploit Status
Requires local access and ability to mount HFS+ filesystems and modify loop device block sizes. The KASAN report shows a clear trigger path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits: 06cbfbb13ac88f4154c2eb4bc4176f9d10139847, 1c82587cb57687de3f18ab4b98a8850c789bedcf, 21900e8478126ff6afe3b66679f676e74d1f8830, 2667c9b7b76efcbc7adbfea249892f20c313b0da, 3d7bda75e1a6239db053c73acde17ca146317824
Vendor Advisory: https://git.kernel.org/stable/c/06cbfbb13ac88f4154c2eb4bc4176f9d10139847
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched kernel versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable HFS+ module
linuxPrevent loading of HFS+ filesystem driver if not needed
echo 'install hfsplus /bin/false' >> /etc/modprobe.d/disable-hfsplus.conf
rmmod hfsplus
Restrict loop device usage
linuxLimit who can create and modify loop devices
chmod 600 /dev/loop-control
setfacl -m u:root:rw /dev/loop-control
🧯 If You Can't Patch
- Avoid using HFS+ filesystems, especially on loop devices.
- Restrict user access to loop device creation and block size modification capabilities.
🔍 How to Verify
Check if Vulnerable:
Check if HFS+ module is loaded and kernel version is unpatched: lsmod | grep hfsplus && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test mounting HFS+ filesystem on loop device with different block sizes.📡 Detection & Monitoring
Log Indicators:
- KASAN reports for slab-use-after-free in hfsplus_read_wrapper
- Kernel panic or oops messages related to HFS+ or loop devices
Network Indicators:
- None - this is a local filesystem vulnerability
SIEM Query:
kernel: "BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper" OR kernel: "hfsplus: panic"🔗 References
- https://git.kernel.org/stable/c/06cbfbb13ac88f4154c2eb4bc4176f9d10139847
- https://git.kernel.org/stable/c/1c82587cb57687de3f18ab4b98a8850c789bedcf
- https://git.kernel.org/stable/c/21900e8478126ff6afe3b66679f676e74d1f8830
- https://git.kernel.org/stable/c/2667c9b7b76efcbc7adbfea249892f20c313b0da
- https://git.kernel.org/stable/c/3d7bda75e1a6239db053c73acde17ca146317824
- https://git.kernel.org/stable/c/baccb5e12577b7a9eff54ffba301fdaa0f3ee5a8
- https://git.kernel.org/stable/c/bfeecda050aa9376f642d5b2a71c4112cc6c8216
- https://git.kernel.org/stable/c/e8a2b1c1c2ea85e9a5a2d0c5a5a7e7c639feb866
- https://git.kernel.org/stable/c/f57725bcc5816425e25218fdf5fb6923bc578cdf
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
