CVE-2024-35807

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix corruption during on-line resize<br /> <br /> We observed a corruption during on-line resize of a file system that is<br /> larger than 16 TiB with 4k block size. With having more then 2^32 blocks<br /> resize_inode is turned off by default by mke2fs. The issue can be<br /> reproduced on a smaller file system for convenience by explicitly<br /> turning off resize_inode. An on-line resize across an 8 GiB boundary (the<br /> size of a meta block group in this setup) then leads to a corruption:<br /> <br /> dev=/dev/ # should be &gt;= 16 GiB<br /> mkdir -p /corruption<br /> /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))<br /> mount -t ext4 $dev /corruption<br /> <br /> dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))<br /> sha1sum /corruption/test<br /> # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test<br /> <br /> /sbin/resize2fs $dev $((2*2**21))<br /> # drop page cache to force reload the block from disk<br /> echo 1 &gt; /proc/sys/vm/drop_caches<br /> <br /> sha1sum /corruption/test<br /> # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test<br /> <br /> 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per<br /> block group and 2^6 are the number of block groups that make a meta<br /> block group.<br /> <br /> The last checksum might be different depending on how the file is laid<br /> out across the physical blocks. The actual corruption occurs at physical<br /> block 63*2^15 = 2064384 which would be the location of the backup of the<br /> meta block group&amp;#39;s block descriptor. During the on-line resize the file<br /> system will be converted to meta_bg starting at s_first_meta_bg which is<br /> 2 in the example - meaning all block groups after 16 GiB. However, in<br /> ext4_flex_group_add we might add block groups that are not part of the<br /> first meta block group yet. In the reproducer we achieved this by<br /> substracting the size of a whole block group from the point where the<br /> meta block group would start. This must be considered when updating the<br /> backup block group descriptors to follow the non-meta_bg layout. The fix<br /> is to add a test whether the group to add is already part of the meta<br /> block group or not.