ghsa-9r6q-3r52-hh42
Vulnerability from github
Published
2024-10-21 18:30
Modified
2024-10-25 15:31
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix off by one issue in alloc_flex_gd()

Wesley reported an issue:

================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0x99/0xd0 x64_sys_call+0x1206/0x20d0 do_syscall_64+0x72/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================

While reviewing the patch, Honza found that when adjusting resize_bg in alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than flexbg_size.

The reproduction of the problem requires the following:

o_group = flexbg_size * 2 * n; o_size = (o_group + 1) * group_size; n_group: [o_group + flexbg_size, o_group + flexbg_size * 2) o_size = (n_group + 1) * group_size;

Take n=0,flexbg_size=16 as an example:

          last:15

|o---------------|--------------n-| o_group:0 resize to n_group:30

The corresponding reproducer is:

img=test.img rm -f $img truncate -s 600M $img mkfs.ext4 -F $img -b 1024 -G 16 8M dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 248M

Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE() to prevent the issue from happening again.

[ Note: another reproucer which this commit fixes is:

img=test.img rm -f $img truncate -s 25MiB $img mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img truncate -s 3GiB $img dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 3G umount $dev losetup -d $dev

-- TYT ]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-49880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T18:15:10Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off by one issue in alloc_flex_gd()\n\nWesley reported an issue:\n\n==================================================================\nEXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks\n------------[ cut here ]------------\nkernel BUG at fs/ext4/resize.c:324!\nCPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27\nRIP: 0010:ext4_resize_fs+0x1212/0x12d0\nCall Trace:\n __ext4_ioctl+0x4e0/0x1800\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0x99/0xd0\n x64_sys_call+0x1206/0x20d0\n do_syscall_64+0x72/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nWhile reviewing the patch, Honza found that when adjusting resize_bg in\nalloc_flex_gd(), it was possible for flex_gd-\u003eresize_bg to be bigger than\nflexbg_size.\n\nThe reproduction of the problem requires the following:\n\n o_group = flexbg_size * 2 * n;\n o_size = (o_group + 1) * group_size;\n n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)\n o_size = (n_group + 1) * group_size;\n\nTake n=0,flexbg_size=16 as an example:\n\n              last:15\n|o---------------|--------------n-|\no_group:0    resize to      n_group:30\n\nThe corresponding reproducer is:\n\nimg=test.img\nrm -f $img\ntruncate -s 600M $img\nmkfs.ext4 -F $img -b 1024 -G 16 8M\ndev=`losetup -f --show $img`\nmkdir -p /tmp/test\nmount $dev /tmp/test\nresize2fs $dev 248M\n\nDelete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()\nto prevent the issue from happening again.\n\n[ Note: another reproucer which this commit fixes is:\n\n  img=test.img\n  rm -f $img\n  truncate -s 25MiB $img\n  mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img\n  truncate -s 3GiB $img\n  dev=`losetup -f --show $img`\n  mkdir -p /tmp/test\n  mount $dev /tmp/test\n  resize2fs $dev 3G\n  umount $dev\n  losetup -d $dev\n\n  -- TYT ]",
  "id": "GHSA-9r6q-3r52-hh42",
  "modified": "2024-10-25T15:31:25Z",
  "published": "2024-10-21T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49880"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d80d2b8bf613398baf7185009e35f9d0459ecb0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6121258c2b33ceac3d21f6a221452692c465df88"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/acb559d6826116cc113598640d105094620c2526"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.