cve/published/2024/CVE-2024-49880.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49880: ext4: fix off by one issue in alloc_flex_gd()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ext4: fix off by one issue in alloc_flex_gd()

 Wesley reported an issue:

 ==================================================================
 EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks
 ------------[ cut here ]------------
 kernel BUG at fs/ext4/resize.c:324!
 CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27
 RIP: 0010:ext4_resize_fs+0x1212/0x12d0
 Call Trace:
  __ext4_ioctl+0x4e0/0x1800
  ext4_ioctl+0x12/0x20
  __x64_sys_ioctl+0x99/0xd0
  x64_sys_call+0x1206/0x20d0
  do_syscall_64+0x72/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
 ==================================================================

 While reviewing the patch, Honza found that when adjusting resize_bg in
 alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than
 flexbg_size.

 The reproduction of the problem requires the following:

  o_group = flexbg_size * 2 * n;
  o_size = (o_group + 1) * group_size;
  n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)
  o_size = (n_group + 1) * group_size;

 Take n=0,flexbg_size=16 as an example:

               last:15
 |o---------------|--------------n-|
 o_group:0    resize to      n_group:30

 The corresponding reproducer is:

 img=test.img
 rm -f $img
 truncate -s 600M $img
 mkfs.ext4 -F $img -b 1024 -G 16 8M
 dev=`losetup -f --show $img`
 mkdir -p /tmp/test
 mount $dev /tmp/test
 resize2fs $dev 248M

 Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()
 to prevent the issue from happening again.

 [ Note: another reproucer which this commit fixes is:

   img=test.img
   rm -f $img
   truncate -s 25MiB $img
   mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img
   truncate -s 3GiB $img
   dev=`losetup -f --show $img`
   mkdir -p /tmp/test
   mount $dev /tmp/test
   resize2fs $dev 3G
   umount $dev
   losetup -d $dev

   -- TYT ]

 The Linux kernel CVE team has assigned CVE-2024-49880 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 665d3e0af4d35acf9a5f58dfd471bc27dbf55880 and fixed in 6.10.14 with commit 0d80d2b8bf613398baf7185009e35f9d0459ecb0
 	Issue introduced in 6.8 with commit 665d3e0af4d35acf9a5f58dfd471bc27dbf55880 and fixed in 6.11.3 with commit acb559d6826116cc113598640d105094620c2526
 	Issue introduced in 6.8 with commit 665d3e0af4d35acf9a5f58dfd471bc27dbf55880 and fixed in 6.12 with commit 6121258c2b33ceac3d21f6a221452692c465df88

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49880
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ext4/resize.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0d80d2b8bf613398baf7185009e35f9d0459ecb0
 	https://git.kernel.org/stable/c/acb559d6826116cc113598640d105094620c2526
 	https://git.kernel.org/stable/c/6121258c2b33ceac3d21f6a221452692c465df88
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49880: ext4: fix off by one issue in alloc_flex_gd()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ext4: fix off by one issue in alloc_flex_gd()

	Wesley reported an issue:

	==================================================================
	EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks
	------------[ cut here ]------------
	kernel BUG at fs/ext4/resize.c:324!
	CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27
	RIP: 0010:ext4_resize_fs+0x1212/0x12d0
	Call Trace:
	__ext4_ioctl+0x4e0/0x1800
	ext4_ioctl+0x12/0x20
	__x64_sys_ioctl+0x99/0xd0
	x64_sys_call+0x1206/0x20d0
	do_syscall_64+0x72/0x110
	entry_SYSCALL_64_after_hwframe+0x76/0x7e
	==================================================================

	While reviewing the patch, Honza found that when adjusting resize_bg in
	alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than
	flexbg_size.

	The reproduction of the problem requires the following:

	o_group = flexbg_size * 2 * n;
	o_size = (o_group + 1) * group_size;
	n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)
	o_size = (n_group + 1) * group_size;

	Take n=0,flexbg_size=16 as an example:

	last:15
	\|o---------------\|--------------n-\|
	o_group:0 resize to n_group:30

	The corresponding reproducer is:

	img=test.img
	rm -f $img
	truncate -s 600M $img
	mkfs.ext4 -F $img -b 1024 -G 16 8M
	dev=`losetup -f --show $img`
	mkdir -p /tmp/test
	mount $dev /tmp/test
	resize2fs $dev 248M

	Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()
	to prevent the issue from happening again.

	[ Note: another reproucer which this commit fixes is:

	img=test.img
	rm -f $img
	truncate -s 25MiB $img
	mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img
	truncate -s 3GiB $img
	dev=`losetup -f --show $img`
	mkdir -p /tmp/test
	mount $dev /tmp/test
	resize2fs $dev 3G
	umount $dev
	losetup -d $dev

	-- TYT ]

	The Linux kernel CVE team has assigned CVE-2024-49880 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 665d3e0af4d35acf9a5f58dfd471bc27dbf55880 and fixed in 6.10.14 with commit 0d80d2b8bf613398baf7185009e35f9d0459ecb0
	Issue introduced in 6.8 with commit 665d3e0af4d35acf9a5f58dfd471bc27dbf55880 and fixed in 6.11.3 with commit acb559d6826116cc113598640d105094620c2526
	Issue introduced in 6.8 with commit 665d3e0af4d35acf9a5f58dfd471bc27dbf55880 and fixed in 6.12 with commit 6121258c2b33ceac3d21f6a221452692c465df88

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49880
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ext4/resize.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0d80d2b8bf613398baf7185009e35f9d0459ecb0
	https://git.kernel.org/stable/c/acb559d6826116cc113598640d105094620c2526
	https://git.kernel.org/stable/c/6121258c2b33ceac3d21f6a221452692c465df88