Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-49880

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/10/2024
Last modified:
25/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix off by one issue in alloc_flex_gd()<br /> <br /> Wesley reported an issue:<br /> <br /> ==================================================================<br /> EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/ext4/resize.c:324!<br /> CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27<br /> RIP: 0010:ext4_resize_fs+0x1212/0x12d0<br /> Call Trace:<br /> __ext4_ioctl+0x4e0/0x1800<br /> ext4_ioctl+0x12/0x20<br /> __x64_sys_ioctl+0x99/0xd0<br /> x64_sys_call+0x1206/0x20d0<br /> do_syscall_64+0x72/0x110<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> ==================================================================<br /> <br /> While reviewing the patch, Honza found that when adjusting resize_bg in<br /> alloc_flex_gd(), it was possible for flex_gd-&gt;resize_bg to be bigger than<br /> flexbg_size.<br /> <br /> The reproduction of the problem requires the following:<br /> <br /> o_group = flexbg_size * 2 * n;<br /> o_size = (o_group + 1) * group_size;<br /> n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)<br /> o_size = (n_group + 1) * group_size;<br /> <br /> Take n=0,flexbg_size=16 as an example:<br /> <br /> last:15<br /> |o---------------|--------------n-|<br /> o_group:0 resize to n_group:30<br /> <br /> The corresponding reproducer is:<br /> <br /> img=test.img<br /> rm -f $img<br /> truncate -s 600M $img<br /> mkfs.ext4 -F $img -b 1024 -G 16 8M<br /> dev=`losetup -f --show $img`<br /> mkdir -p /tmp/test<br /> mount $dev /tmp/test<br /> resize2fs $dev 248M<br /> <br /> Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()<br /> to prevent the issue from happening again.<br /> <br /> [ Note: another reproucer which this commit fixes is:<br /> <br /> img=test.img<br /> rm -f $img<br /> truncate -s 25MiB $img<br /> mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img<br /> truncate -s 3GiB $img<br /> dev=`losetup -f --show $img`<br /> mkdir -p /tmp/test<br /> mount $dev /tmp/test<br /> resize2fs $dev 3G<br /> umount $dev<br /> losetup -d $dev<br /> <br /> -- TYT ]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.10.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (including) 6.11.3 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools