CVE-2024-35807

Summary

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix corruption during on-line resize

We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption:

dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 221 - 215)) mount -t ext4 $dev /corruption

dd if=/dev/zero bs=4096 of=/corruption/test count=$((22**21 - 42**15)) sha1sum /corruption/test

79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test

/sbin/resize2fs $dev $((2*2**21))

drop page cache to force reload the block from disk

echo 1 > /proc/sys/vm/drop_caches

sha1sum /corruption/test

3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test

2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group.

The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < 75cc31c2e7193b69f5d25650bda5bb42ed92f8a1affected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < ee4e9c1976147a850f6085a13fca95bcaa00d84caffected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < e8e8b197317228b5089ed9e7802dadf3ccaa027aaffected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < 239c669edb2bffa1aa2612519b1d438ab35d6be6affected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < fb1088d51bbaa0faec5a55d4f5818a9ab79e24dfaffected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < 37b6a3ba793bbbae057f5b991970ebcc52cb3db5affected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < b461910af8ba3bed80f48c2bf852686d05c6fc5caffected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < 722d2c01b8b108f8283d1b7222209d5b2a5aa7bdaffected
LinuxLinux01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 < a6b3bfe176e8a5b05ec4447404e412c2a3fc92ccaffected
LinuxLinux3.7affected
LinuxLinux0 < 3.7unaffected
LinuxLinux4.19.312 <= 4.19.*unaffected
LinuxLinux5.4.274 <= 5.4.*unaffected
LinuxLinux5.10.215 <= 5.10.*unaffected
LinuxLinux5.15.154 <= 5.15.*unaffected
LinuxLinux6.1.84 <= 6.1.*unaffected
LinuxLinux6.6.24 <= 6.6.*unaffected
LinuxLinux6.7.12 <= 6.7.*unaffected
LinuxLinux6.8.3 <= 6.8.*unaffected
LinuxLinux6.9 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

Additional References

References