CVE-2024-35807 ext4: fix corruption during on-line resize

2024-05-1713:23:14

Linux

www.cve.org

linux kernel

ext4

corruption

on-line resize

vulnerability

file system

block size

meta block group.

7.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix corruption during on-line resize

We observed a corruption during on-line resize of a file system that is
larger than 16 TiB with 4k block size. With having more then 2^32 blocks
resize_inode is turned off by default by mke2fs. The issue can be
reproduced on a smaller file system for convenience by explicitly
turning off resize_inode. An on-line resize across an 8 GiB boundary (the
size of a meta block group in this setup) then leads to a corruption:

dev=/dev/<some_dev> # should be >= 16 GiB
mkdir -p /corruption
/sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 221 - 215))
mount -t ext4 $dev /corruption

dd if=/dev/zero bs=4096 of=/corruption/test count=$((22**21 - 42**15))
sha1sum /corruption/test

79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test

/sbin/resize2fs $dev $((2*2**21))

drop page cache to force reload the block from disk

echo 1 > /proc/sys/vm/drop_caches

sha1sum /corruption/test

3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test

2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per
block group and 2^6 are the number of block groups that make a meta
block group.

The last checksum might be different depending on how the file is laid
out across the physical blocks. The actual corruption occurs at physical
block 63*2^15 = 2064384 which would be the location of the backup of the
meta block group’s block descriptor. During the on-line resize the file
system will be converted to meta_bg starting at s_first_meta_bg which is
2 in the example - meaning all block groups after 16 GiB. However, in
ext4_flex_group_add we might add block groups that are not part of the
first meta block group yet. In the reproducer we achieved this by
substracting the size of a whole block group from the point where the
meta block group would start. This must be considered when updating the
backup block group descriptors to follow the non-meta_bg layout. The fix
is to add a test whether the group to add is already part of the meta
block group or not.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ext4/resize.c"
    ],
    "versions": [
      {
        "version": "01f795f9e0d6",
        "lessThan": "75cc31c2e719",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "ee4e9c197614",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "e8e8b1973172",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "239c669edb2b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "fb1088d51bba",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "37b6a3ba793b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "b461910af8ba",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "722d2c01b8b1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "01f795f9e0d6",
        "lessThan": "a6b3bfe176e8",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ext4/resize.c"
    ],
    "versions": [
      {
        "version": "3.7",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "3.7",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.312",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.274",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.215",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.154",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.84",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.24",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7.12",
        "lessThanOrEqual": "6.7.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.3",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]