{"id":"CVE-2024-50250","summary":"fsdax: dax_unshare_iter needs to copy entire blocks","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: dax_unshare_iter needs to copy entire blocks\n\nThe code that copies data from srcmap to iomap in dax_unshare_iter is\nvery very broken, which bfoster's recent fsx changes have exposed.\n\nIf the pos and len passed to dax_file_unshare are not aligned to an\nfsblock boundary, the iter pos and length in the _iter function will\nreflect this unalignment.\n\ndax_iomap_direct_access always returns a pointer to the start of the\nkmapped fsdax page, even if its pos argument is in the middle of that\npage.  This is catastrophic for data integrity when iter-\u003epos is not\naligned to a page, because daddr/saddr do not point to the same byte in\nthe file as iter-\u003epos.  Hence we corrupt user data by copying it to the\nwrong place.\n\nIf iter-\u003epos + iomap_length() in the _iter function not aligned to a\npage, then we fail to copy a full block, and only partially populate the\ndestination block.  This is catastrophic for data confidentiality\nbecause we expose stale pmem contents.\n\nFix both of these issues by aligning copy_pos/copy_len to a page\nboundary (remember, this is fsdax so 1 fsblock == 1 base page) so that\nwe always copy full blocks.\n\nWe're not done yet -- there's no call to invalidate_inode_pages2_range,\nso programs that have the file range mmap'd will continue accessing the\nold memory mapping after the file metadata updates have completed.\n\nBe careful with the return value -- if the unshare succeeds, we still\nneed to return the number of bytes that the iomap iter thinks we're\noperating on.","modified":"2026-05-18T05:57:57.530696693Z","published":"2024-11-09T10:14:59.003Z","related":["SUSE-SU-2024:4314-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:02388-1","SUSE-SU-2025:02389-1","SUSE-SU-2025:02390-1","SUSE-SU-2025:02411-1","SUSE-SU-2025:02412-1","SUSE-SU-2025:02420-1","SUSE-SU-2025:02440-1","SUSE-SU-2025:02449-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","SUSE-SU-2025:20517-1","SUSE-SU-2025:20518-1","SUSE-SU-2025:20525-1","SUSE-SU-2025:20526-1","SUSE-SU-2025:20540-1","SUSE-SU-2025:20544-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50250.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/50793801fc7f6d08def48754fb0f0706b0cfc394"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8e9c0f500b42216ef930f5c0d1703989a451913d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9bc18bb476e50e32e5d08f2734d63d63e0fa528c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bdbc96c23197d773a7d1bf03e4f11de593b0ff28"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50250.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50250"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1bec6782a25c9b92c203ea7a1b3e3dc6a468cbc4"},{"fixed":"bdbc96c23197d773a7d1bf03e4f11de593b0ff28"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d984648e428bf88cbd94ebe346c73632cb92fffb"},{"fixed":"9bc18bb476e50e32e5d08f2734d63d63e0fa528c"},{"fixed":"8e9c0f500b42216ef930f5c0d1703989a451913d"},{"fixed":"50793801fc7f6d08def48754fb0f0706b0cfc394"}]}],"versions":["v6.1.115","v6.1.114","v6.1.113"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50250.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.116"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.60"},{"fixed":"6.11.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50250.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}