CVE CyberSecurity Database News

CVE-2024-26880 - How a Resume Pairing Bug in Linux Kernel's Device Mapper Could Crash Your System (Exploit & Fix)

Poster -

CVE-2024-26880 is a recently resolved vulnerability affecting the Linux kernel’s device-mapper (DM) subsystem — an essential part of many modern Linux storage stacks, like LVM2 (Logical Volume Manager). Discovered during extensive lvm2 test-suite runs, the bug triggers a kernel crash due to repeated and unpaired callback functions, resulting in kernel list corruption and a possible denial-of-service condition.

This article presents a simplified, exclusive, and technical explanation of how this vulnerability occurs, how it can crash a Linux system, and how it’s being fixed. We’ll dive into code snippets from the Linux kernel, look at the call traces, and discuss how a researcher or malicious actor might reproduce or exploit this bug.

The Vulnerability Explained

Device-mapper provides a framework for mapping one block device onto another. It relies on a set of target methods (such as postsuspend, preresume, and resume) to coordinate state changes.

The core issue:

The Linux kernel's DM module failed to correctly pair postsuspend and resume calls during internal resume operations. Because of a mistake, origin_postsuspend (and other postsuspend hooks) could be called _twice in a row_ without a matching resume, resulting in double removal of a list entry—corrupting kernel lists and crashing the kernel.

Kernel then hits a BUG() on list corruption

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!
invalid opcode: 000 [#1] PREEMPT SMP
...
Call Trace:
 origin_postsuspend+x1a/x50 [dm_snapshot]
 dm_table_postsuspend_targets+x34/x50 [dm_mod]
 dm_suspend+xd8/xf [dm_mod]
 dev_suspend+x1f2/x2f [dm_mod]
 ...

Here’s the problematic code (simplified)

// From drivers/md/dm.c

int dm_table_postsuspend_targets(struct dm_table *t)
{
    // iterate over all targets (devices), call postsuspend
    for (each_target...)
        target->postsuspend(target);
    ...
}

Called twice, postsuspend trashes the list twice!

The FIX

The fix for CVE-2024-26880 is in commit
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fa717a052ec1

It changes __dm_internal_resume to correctly pair calls to preresume and resume, and never call postsuspend twice consecutively.

Relevant patch snippet:

static void __dm_internal_resume(struct dm_table *table)
{
	// Before: skipped preresume/resume or called postsuspend twice

	// Now: properly sequence the calls
	dm_table_run_preresume_targets(table);  // run preresume hooks
	dm_table_run_resume_targets(table);     // run resume hooks
	// postsuspend and resume are always paired!
}

Edge consideration:
If preresume fails for any target, there’s no standard error return from dm_internal_resume. So, the fix is to _set the DMF_SUSPENDED flag and fake a normal suspend_. This might confuse userland tools momentarily, but it will not crash the kernel.


## How to Reproduce / Exploit

This isn’t a privilege escalation, but it is a denial-of-service (DoS) affecting anyone who can access/control LVM or device mapper during complex volume operations.

Create complex LVM snapshots and activate/deactivate volumes rapidly

- Run the LVM2 test suite or
- Manually use combination of lvcreate, lvremove, lvconvert, lvchange, and snapshot operations.

Example Test (Bash snippet)

# Setup
lvcreate -L1G -s -n snap /dev/vg/origin     # create a snapshot

# Suspend/resume triggers
dmsetup suspend vg-origin
dmsetup resume vg-origin

# Repeat quickly in scripts or loop
for i in {1..100}; do
  lvconvert --merge vg/snap
  lvcreate -L1G -s -n snap /dev/vg/origin
done

*With a vulnerable kernel, a crash could occur, visible via kernel logs/dmesg.*

Here’s a real kernel OOPS from this bug (abridged)

kernel BUG at lib/list_debug.c:56!
...
origin_postsuspend+x1a/x50 [dm_snapshot]
dm_table_postsuspend_targets+x34/x50 [dm_mod]
dm_suspend+xd8/xf [dm_mod]
...

Mitigation and Patch

Fixed in Linux 6.8+ kernels as of commit fa717a.
Upstream bug discussion: lkml.org thread

Workaround for sysadmins:

Use stable, patched kernels.

- Avoid custom/private kernel builds without this patch if you use LVM snapshots or device-mapper.

Conclusion

CVE-2024-26880 is a great example of how intricate kernel state handling can go wrong, especially in subsystems as complex as device-mapper. While it "only" acts as a DoS vector, its ability to crash the kernel simply by repeated volume/snapshot operations makes it high-impact for anyone operating storage-heavy Linux servers or VMs. The fix, now upstream, should be backported to all active distributions.

References

- Kernel Patch & Discussion
- Original bug report (LKML thread)
- LVM2 Official

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 11/01/2024 18:35:03 UTC