{"id":"AZL-53373","summary":"CVE-2024-50250 affecting package kernel for versions less than 6.6.64.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: dax_unshare_iter needs to copy entire blocks\n\nThe code that copies data from srcmap to iomap in dax_unshare_iter is\nvery very broken, which bfoster's recent fsx changes have exposed.\n\nIf the pos and len passed to dax_file_unshare are not aligned to an\nfsblock boundary, the iter pos and length in the _iter function will\nreflect this unalignment.\n\ndax_iomap_direct_access always returns a pointer to the start of the\nkmapped fsdax page, even if its pos argument is in the middle of that\npage.  This is catastrophic for data integrity when iter-\u003epos is not\naligned to a page, because daddr/saddr do not point to the same byte in\nthe file as iter-\u003epos.  Hence we corrupt user data by copying it to the\nwrong place.\n\nIf iter-\u003epos + iomap_length() in the _iter function not aligned to a\npage, then we fail to copy a full block, and only partially populate the\ndestination block.  This is catastrophic for data confidentiality\nbecause we expose stale pmem contents.\n\nFix both of these issues by aligning copy_pos/copy_len to a page\nboundary (remember, this is fsdax so 1 fsblock == 1 base page) so that\nwe always copy full blocks.\n\nWe're not done yet -- there's no call to invalidate_inode_pages2_range,\nso programs that have the file range mmap'd will continue accessing the\nold memory mapping after the file metadata updates have completed.\n\nBe careful with the return value -- if the unshare succeeds, we still\nneed to return the number of bytes that the iomap iter thinks we're\noperating on.","modified":"2026-04-01T05:18:02.426218Z","published":"2024-11-09T11:15:10Z","upstream":["CVE-2024-50250"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50250"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.64.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-53373.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}