CVE-2024-35807

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix corruption during on-line resize

We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resizeinode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resizeinode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption:

dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 221 - 215)) mount -t ext4 $dev /corruption

dd if=/dev/zero bs=4096 of=/corruption/test count=$((2221 - 4215)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test

/sbin/resize2fs $dev $((22*21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches

sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test

2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group.

The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to metabg starting at sfirstmetabg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4flexgroupadd we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-metabg layout. The fix is to add a test whether the group to add is already part of the meta block group or not.