CVE-2024-49880 Information

Nov 01, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

ext4: fix off by one issue in alloc_flex_gd()

Wesley reported an issue:

================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ————[ cut here ]———— kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ 27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0x99/0xd0 x64_sys_call+0x1206/0x20d0 do_syscall_64+0x72/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

While reviewing the patch Honza found that when adjusting resize_bg in alloc_flex_gd() it was possible for flex_gd->resize_bg to be bigger than flexbg_size.

The reproduction of the problem requires the following:

o_group = flexbg_size 2 n; o_size = (o_group + 1) group_size; n_group: [o_group + flexbg_size o_group + flexbg_size 2) o_size = (n_group + 1) group_size;

Take n=0flexbg_size=16 as an example:

          last:15

|o—————|————–n-| o_group:0 resize to n_group:30

The corresponding reproducer is:

img=test.img rm -f $img truncate -s 600M $img mkfs.ext4 -F $img -b 1024 -G 16 8M dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 248M

Delete the problematic plus 1 to fix the issue and add a WARN_ON_ONCE() to prevent the issue from happening again.

[ Note: another reproucer which this commit fixes is:

img=test.img rm -f $img truncate -s 25MiB $img mkfs.ext4 -b 4096 -E nodiscardlazy_itable_init=0lazy_journal_init=0 $img truncate -s 3GiB $img dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 3G umount $dev losetup -d $dev

– TYT ]

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://git.kernel.org/stable/c/0d80d2b8bf613398baf7185009e35f9d0459ecb0 https://git.kernel.org/stable/c/acb559d6826116cc113598640d105094620c2526 https://git.kernel.org/stable/c/6121258c2b33ceac3d21f6a221452692c465df88

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8

Share on: