Ubuntu.comUB:CVE-2024-35807CVE-2024-35807
In the Linux kernel, the following vulnerability has been resolved: ext4:
fix corruption during on-line resize We observed a corruption during
on-line resize of a file system that is larger than 16 TiB with 4k block
size. With having more then 2^32 blocks resize_inode is turned off by
default by mke2fs. The issue can be reproduced on a smaller file system for
convenience by explicitly turning off resize_inode. An on-line resize
across an 8 GiB boundary (the size of a meta block group in this setup)
then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir
-p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 *
221 - 215)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096
of=/corruption/test count=$((22**21 - 4215)) sha1sum /corruption/test #
79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs
$dev $((2*221)) # drop page cache to force reload the block from disk
echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test #
3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^152^6
equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6
are the number of block groups that make a meta block group. The last
checksum might be different depending on how the file is laid out across
the physical blocks. The actual corruption occurs at physical block 632^15
= 2064384 which would be the location of the backup of the meta block
group’s block descriptor. During the on-line resize the file system will be
converted to meta_bg starting at s_first_meta_bg which is 2 in the example
- meaning all block groups after 16 GiB. However, in ext4_flex_group_add we
might add block groups that are not part of the first meta block group yet.
In the reproducer we achieved this by substracting the size of a whole
block group from the point where the meta block group would start. This
must be considered when updating the backup block group descriptors to
follow the non-meta_bg layout. The fix is to add a test whether the group
to add is already part of the meta block group or not.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
| ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
References
git.kernel.org/linus/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc (6.9-rc1)
git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6
git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5
git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd
git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1
git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc
git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c
git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a
git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c
git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df
launchpad.net/bugs/cve/CVE-2024-35807
nvd.nist.gov/vuln/detail/CVE-2024-35807
security-tracker.debian.org/tracker/CVE-2024-35807
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
www.cve.org/CVERecord?id=CVE-2024-35807
Related
