{"vulnerability": "CVE-2024-56548", "sightings": [{"uuid": "9cb003d0-116e-47cc-814c-6aa2f9fa3e91", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-56548", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lec6nirygt2l", "content": "", "creation_timestamp": "2024-12-27T14:19:35.224097Z"}, {"uuid": "cf25a790-891d-407d-89a2-5dc09b877c5a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-56548", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-07", "content": "", "creation_timestamp": "2025-08-14T10:00:00.000000Z"}, {"uuid": "6e267dbf-59b1-4f37-be1d-31e47af0c58d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-56548", "type": "seen", "source": "https://t.me/cvedetector/13739", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-56548 - IBM Linux hfsplus slab use after free\", \n  \"Content\": \"CVE ID : CVE-2024-56548 \nPublished : Dec. 27, 2024, 2:15 p.m. | 42\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nhfsplus: don't query the device logical block size multiple times  \n  \nDevices block sizes may change. One of these cases is a loop device by  \nusing ioctl LOOP_SET_BLOCK_SIZE.  \n  \nWhile this may cause other issues like IO being rejected, in the case of  \nhfsplus, it will allocate a block by using that size and potentially write  \nout-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the  \nlatter function reads a different io_size.  \n  \nUsing a new min_io_size initally set to sb_min_blocksize works for the  \npurposes of the original fix, since it will be set to the max between  \nHFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the  \nmax between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not  \ninitialized.  \n  \nTested by mounting an hfsplus filesystem with loop block sizes 512, 1024  \nand 4096.  \n  \nThe produced KASAN report before the fix looks like this:  \n  \n[  419.944641] ==================================================================  \n[  419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a  \n[  419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678  \n[  419.947612]  \n[  419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84  \n[  419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014  \n[  419.950035] Call Trace:  \n[  419.950384]    \n[  419.950676]  dump_stack_lvl+0x57/0x78  \n[  419.951212]  ? hfsplus_read_wrapper+0x659/0xa0a  \n[  419.951830]  print_report+0x14c/0x49e  \n[  419.952361]  ? __virt_addr_valid+0x267/0x278  \n[  419.952979]  ? kmem_cache_debug_flags+0xc/0x1d  \n[  419.953561]  ? hfsplus_read_wrapper+0x659/0xa0a  \n[  419.954231]  kasan_report+0x89/0xb0  \n[  419.954748]  ? hfsplus_read_wrapper+0x659/0xa0a  \n[  419.955367]  hfsplus_read_wrapper+0x659/0xa0a  \n[  419.955948]  ? __pfx_hfsplus_read_wrapper+0x10/0x10  \n[  419.956618]  ? do_raw_spin_unlock+0x59/0x1a9  \n[  419.957214]  ? _raw_spin_unlock+0x1a/0x2e  \n[  419.957772]  hfsplus_fill_super+0x348/0x1590  \n[  419.958355]  ? hlock_class+0x4c/0x109  \n[  419.958867]  ? __pfx_hfsplus_fill_super+0x10/0x10  \n[  419.959499]  ? __pfx_string+0x10/0x10  \n[  419.960006]  ? lock_acquire+0x3e2/0x454  \n[  419.960532]  ? bdev_name.constprop.0+0xce/0x243  \n[  419.961129]  ? __pfx_bdev_name.constprop.0+0x10/0x10  \n[  419.961799]  ? pointer+0x3f0/0x62f  \n[  419.962277]  ? __pfx_pointer+0x10/0x10  \n[  419.962761]  ? vsnprintf+0x6c4/0xfba  \n[  419.963178]  ? __pfx_vsnprintf+0x10/0x10  \n[  419.963621]  ? setup_bdev_super+0x376/0x3b3  \n[  419.964029]  ? snprintf+0x9d/0xd2  \n[  419.964344]  ? __pfx_snprintf+0x10/0x10  \n[  419.964675]  ? lock_acquired+0x45c/0x5e9  \n[  419.965016]  ? set_blocksize+0x139/0x1c1  \n[  419.965381]  ? sb_set_blocksize+0x6d/0xae  \n[  419.965742]  ? __pfx_hfsplus_fill_super+0x10/0x10  \n[  419.966179]  mount_bdev+0x12f/0x1bf  \n[  419.966512]  ? __pfx_mount_bdev+0x10/0x10  \n[  419.966886]  ? vfs_parse_fs_string+0xce/0x111  \n[  419.967293]  ? __pfx_vfs_parse_fs_string+0x10/0x10  \n[  419.967702]  ? __pfx_hfsplus_mount+0x10/0x10  \n[  419.968073]  legacy_get_tree+0x104/0x178  \n[  419.968414]  vfs_get_tree+0x86/0x296  \n[  419.968751]  path_mount+0xba3/0xd0b  \n[  419.969157]  ? __pfx_path_mount+0x10/0x10  \n[  419.969594]  ? kmem_cache_free+0x1e2/0x260  \n[  419.970311]  do_mount+0x99/0xe0  \n[  419.970630]  ? __pfx_do_mount+0x10/0x10  \n[  419.971008]  __do_sys_mount+0x199/0x1c9  \n[  419.971397]  do_syscall_64+0xd0/0x135  \n[  419.971761]  entry_SYSCALL_64_after_hwframe+0x76/0x7e  \n[  419.972233] RIP: 0033:0x7c3cb812972e  \n[  419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 &lt;483d 01 [...]", "creation_timestamp": "2024-12-27T15:59:41.000000Z"}]}