In the Linux kernel, the following vulnerability has been resolved:
ext4: fix corruption during on-line resize
We observed a corruption during on-line resize of a file system that is
larger than 16 TiB with 4k block size. With having more then 2^32 blocks
resize_inode is turned off by default by mke2fs. The issue can be
reproduced on a smaller file system for convenience by explicitly
turning off resize_inode. An on-line resize across an 8 GiB boundary (the
size of a meta block group in this setup) then leads to a corruption:
dev=/dev/<some_dev> # should be >= 16 GiB
mkdir -p /corruption
/sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 221 - 215))
mount -t ext4 $dev /corruption
dd if=/dev/zero bs=4096 of=/corruption/test count=$((22**21 - 42**15))
sha1sum /corruption/test
/sbin/resize2fs $dev $((2*2**21))
echo 1 > /proc/sys/vm/drop_caches
sha1sum /corruption/test
2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per
block group and 2^6 are the number of block groups that make a meta
block group.
The last checksum might be different depending on how the file is laid
out across the physical blocks. The actual corruption occurs at physical
block 63*2^15 = 2064384 which would be the location of the backup of the
meta block group’s block descriptor. During the on-line resize the file
system will be converted to meta_bg starting at s_first_meta_bg which is
2 in the example - meaning all block groups after 16 GiB. However, in
ext4_flex_group_add we might add block groups that are not part of the
first meta block group yet. In the reproducer we achieved this by
substracting the size of a whole block group from the point where the
meta block group would start. This must be considered when updating the
backup block group descriptors to follow the non-meta_bg layout. The fix
is to add a test whether the group to add is already part of the meta
block group or not.
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/ext4/resize.c"
],
"versions": [
{
"version": "01f795f9e0d6",
"lessThan": "75cc31c2e719",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "ee4e9c197614",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "e8e8b1973172",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "239c669edb2b",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "fb1088d51bba",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "37b6a3ba793b",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "b461910af8ba",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "722d2c01b8b1",
"status": "affected",
"versionType": "git"
},
{
"version": "01f795f9e0d6",
"lessThan": "a6b3bfe176e8",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/ext4/resize.c"
],
"versions": [
{
"version": "3.7",
"status": "affected"
},
{
"version": "0",
"lessThan": "3.7",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.312",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.274",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.215",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.154",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.1.84",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.24",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.7.12",
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.8.3",
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6
git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5
git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd
git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1
git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc
git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c
git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a
git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c
git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df