CVE-2024-35807
ext4: fix corruption during on-line resize
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix corruption during on-line resize
We observed a corruption during on-line resize of a file system that is
larger than 16 TiB with 4k block size. With having more then 2^32 blocks
resize_inode is turned off by default by mke2fs. The issue can be
reproduced on a smaller file system for convenience by explicitly
turning off resize_inode. An on-line resize across an 8 GiB boundary (the
size of a meta block group in this setup) then leads to a corruption:
dev=/dev/<some_dev> # should be >= 16 GiB
mkdir -p /corruption
/sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))
mount -t ext4 $dev /corruption
dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))
sha1sum /corruption/test
# 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test
/sbin/resize2fs $dev $((2*2**21))
# drop page cache to force reload the block from disk
echo 1 > /proc/sys/vm/drop_caches
sha1sum /corruption/test
# 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test
2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per
block group and 2^6 are the number of block groups that make a meta
block group.
The last checksum might be different depending on how the file is laid
out across the physical blocks. The actual corruption occurs at physical
block 63*2^15 = 2064384 which would be the location of the backup of the
meta block group's block descriptor. During the on-line resize the file
system will be converted to meta_bg starting at s_first_meta_bg which is
2 in the example - meaning all block groups after 16 GiB. However, in
ext4_flex_group_add we might add block groups that are not part of the
first meta block group yet. In the reproducer we achieved this by
substracting the size of a whole block group from the point where the
meta block group would start. This must be considered when updating the
backup block group descriptors to follow the non-meta_bg layout. The fix
is to add a test whether the group to add is already part of the meta
block group or not.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ext4: corregida la corrupción durante el cambio de tamaño en línea Observamos una corrupción durante el cambio de tamaño en línea de un sistema de archivos de más de 16 TiB con un tamaño de bloque de 4k. Al tener más de 2 ^ 32 bloques, mke2fs desactiva resize_inode de forma predeterminada. El problema se puede reproducir en un sistema de archivos más pequeño por conveniencia desactivando explícitamente resize_inode. Un cambio de tamaño en línea a través de un límite de 8 GiB (el tamaño de un grupo de metabloques en esta configuración) conduce a una corrupción: dev=/dev/ # debería ser >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # soltar caché de página para forzar la recarga del bloque desde el disco echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^15*2^6 equivale a 8 GiB de los cuales 2^15 es el número de bloques por grupo de bloques y 2^6 es el número de grupos de bloques que forman un metagrupo de bloques. La última suma de comprobación puede ser diferente dependiendo de cómo esté distribuido el archivo en los bloques físicos. La corrupción real ocurre en el bloque físico 63*2^15 = 2064384, que sería la ubicación de la copia de seguridad del descriptor de bloque del grupo de metabloques. Durante el cambio de tamaño en línea, el sistema de archivos se convertirá a meta_bg comenzando en s_first_meta_bg, que en el ejemplo es 2, es decir, todos los grupos de bloques después de 16 GiB. Sin embargo, en ext4_flex_group_add podríamos agregar grupos de bloques que aún no forman parte del primer metagrupo de bloques. En el reproductor logramos esto restando el tamaño de un grupo de bloques completo desde el punto donde comenzaría el grupo de metabloques. Esto debe tenerse en cuenta al actualizar los descriptores del grupo de bloques de respaldo para que sigan el diseño que no es meta_bg. La solución es agregar una prueba de si el grupo a agregar ya forma parte del grupo de metabloques o no.
A vulnerability was found in the ext4 filesystem in the Linux kernel during on-line resizing operations. When an ext4 filesystem is resized while mounted, it could lead to data corruption.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-17 CVE Reserved
- 2024-05-17 CVE Published
- 2024-05-18 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (14)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-35807 | 2024-08-08 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2281221 | 2024-08-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 4.19.312 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 4.19.312" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.4.274" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.10.215" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.15.154" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.1.84" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.6.24" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.7.12" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.8.3" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.9" | en |
Affected
| ||||||