CVE-2024-40955

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()<br /> <br /> We can trigger a slab-out-of-bounds with the following commands:<br /> <br /> mkfs.ext4 -F /dev/$disk 10G<br /> mount /dev/$disk /tmp/test<br /> echo 2147483647 &gt; /sys/fs/ext4/$disk/mb_group_prealloc<br /> echo test &gt; /tmp/test/file &amp;&amp; sync<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]<br /> Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11<br /> CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521<br /> Call Trace:<br /> dump_stack_lvl+0x2c/0x50<br /> kasan_report+0xb6/0xf0<br /> ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]<br /> ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]<br /> ext4_mb_new_blocks+0x88a/0x1370 [ext4]<br /> ext4_ext_map_blocks+0x14f7/0x2390 [ext4]<br /> ext4_map_blocks+0x569/0xea0 [ext4]<br /> ext4_do_writepages+0x10f6/0x1bc0 [ext4]<br /> [...]<br /> ==================================================================<br /> <br /> The flow of issue triggering is as follows:<br /> <br /> // Set s_mb_group_prealloc to 2147483647 via sysfs<br /> ext4_mb_new_blocks<br /> ext4_mb_normalize_request<br /> ext4_mb_normalize_group_request<br /> ac-&gt;ac_g_ex.fe_len = EXT4_SB(sb)-&gt;s_mb_group_prealloc<br /> ext4_mb_regular_allocator<br /> ext4_mb_choose_next_group<br /> ext4_mb_choose_next_group_best_avail<br /> mb_avg_fragment_size_order<br /> order = fls(len) - 2 = 29<br /> ext4_mb_find_good_group_avg_frag_lists<br /> frag_list = &amp;sbi-&gt;s_mb_avg_fragment_size[order]<br /> if (list_empty(frag_list)) // Trigger SOOB!<br /> <br /> At 4k block size, the length of the s_mb_avg_fragment_size list is 14,<br /> but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds<br /> to be triggered by an attempt to access an element at index 29.<br /> <br /> Add a new attr_id attr_clusters_in_group with values in the range<br /> [0, sbi-&gt;s_clusters_per_group] and declare mb_group_prealloc as<br /> that type to fix the issue. In addition avoid returning an order<br /> from mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)<br /> and reduce some useless loops.