CVE-2024-35807: ext4: fix corruption during on-line resize
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix corruption during on-line resize
The Linux kernel CVE team has assigned CVE-2024-35807 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051740-CVE-2024-35807-2a9e@gregkh/T
Other sources
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix corruption during on-line resize
We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resizeinode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resizeinode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption:
dev=/dev/<somedev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resizeinode $dev $((2 221 - 215)) mount -t ext4 $dev /corruption
dd if=/dev/zero bs=4096 of=/corruption/test count=$((2221 - 4215)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test
/sbin/resize2fs $dev $((2221)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/dropcaches
sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test
2^21 = 2^152^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group.
The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 632^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to metabg starting at sfirstmetabg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4flexgroupadd we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-metabg layout. The fix is to add a test whether the group to add is already part of the meta block group or not.
— NVD
Linux Kernel is vulnerable to a denial of service, caused by a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-35807?
CVE-2024-35807 has a moderate severity rating due to potential corruption during online resize operations in the ext4 filesystem.
How do I fix CVE-2024-35807?
To mitigate CVE-2024-35807, update to the latest kernel versions as specified in the vulnerability details.
Which Linux kernel versions are affected by CVE-2024-35807?
CVE-2024-35807 affects Linux kernel versions up to and including 4.19.312, 5.4.274, 5.10.215, 5.15.154, 6.1.84, and various other versions up to 6.9.
What type of vulnerability is CVE-2024-35807?
CVE-2024-35807 is a filesystem vulnerability specifically related to the ext4 filesystem in the Linux kernel.
Is there a workaround for CVE-2024-35807 if I cannot apply updates?
Currently, the recommended action for CVE-2024-35807 is to apply the relevant updates rather than relying on a workaround.