CVE-2024-49880

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-49880
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49880.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-49880
Downstream
Related
Published
2024-10-21T18:15:10Z
Modified
2024-10-25T14:42:58Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix off by one issue in allocflexgd()

Wesley reported an issue:

================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4resizefs+0x1212/0x12d0 Call Trace: _ext4ioctl+0x4e0/0x1800 ext4ioctl+0x12/0x20 _x64sysioctl+0x99/0xd0 x64syscall+0x1206/0x20d0 dosyscall64+0x72/0x110

entrySYSCALL64afterhwframe+0x76/0x7e

While reviewing the patch, Honza found that when adjusting resizebg in allocflexgd(), it was possible for flexgd->resizebg to be bigger than flexbgsize.

The reproduction of the problem requires the following:

ogroup = flexbgsize * 2 * n; osize = (ogroup + 1) * groupsize; ngroup: [ogroup + flexbgsize, ogroup + flexbgsize * 2) osize = (ngroup + 1) * group_size;

Take n=0,flexbg_size=16 as an example:

          last:15

|o---------------|--------------n-| ogroup:0 resize to ngroup:30

The corresponding reproducer is:

img=test.img rm -f $img truncate -s 600M $img mkfs.ext4 -F $img -b 1024 -G 16 8M dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 248M

Delete the problematic plus 1 to fix the issue, and add a WARNONONCE() to prevent the issue from happening again.

[ Note: another reproucer which this commit fixes is:

img=test.img rm -f $img truncate -s 25MiB $img mkfs.ext4 -b 4096 -E nodiscard,lazyitableinit=0,lazyjournalinit=0 $img truncate -s 3GiB $img dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 3G umount $dev losetup -d $dev

-- TYT ]

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.11.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}