ext4: fix corruption during on-line resize
Summary
| CVE | CVE-2024-35807 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-05-17 14:15:14 UTC |
| Updated | 2026-05-12 12:16:36 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group. The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: NVD-CWE-noinfo
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 75cc31c2e7193b69f5d25650bda5bb42ed92f8a1 git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 ee4e9c1976147a850f6085a13fca95bcaa00d84c git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 e8e8b197317228b5089ed9e7802dadf3ccaa027a git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 239c669edb2bffa1aa2612519b1d438ab35d6be6 git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 fb1088d51bbaa0faec5a55d4f5818a9ab79e24df git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 37b6a3ba793bbbae057f5b991970ebcc52cb3db5 git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 b461910af8ba3bed80f48c2bf852686d05c6fc5c git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 722d2c01b8b108f8283d1b7222209d5b2a5aa7bd git | Not specified |
| CNA | Linux | Linux | affected 01f795f9e0d67adeccc61a8b20c28acb45fa5fd8 a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc git | Not specified |
| CNA | Linux | Linux | affected 3.7 | Not specified |
| CNA | Linux | Linux | unaffected 3.7 semver | Not specified |
| CNA | Linux | Linux | unaffected 4.19.312 4.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.4.274 5.4.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.215 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.154 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.84 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.24 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.7.12 6.7.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.8.3 6.8.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.9 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem | affected * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cert-portal.siemens.com/productcert/html/ssa-398330.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| lists.debian.org/debian-lts-announce/2024/06/msg00017.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Third Party Advisory |
| git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-265688.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2024/06/msg00020.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Third Party Advisory |
| git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.