mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
189 lines
12 KiB
JSON
189 lines
12 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-35807",
|
|
"ASSIGNER": "cve@kernel.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/<some_dev> # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "n/a"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Linux",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Linux",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "01f795f9e0d6",
|
|
"version_value": "75cc31c2e719"
|
|
},
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"version": "3.7",
|
|
"status": "affected"
|
|
},
|
|
{
|
|
"version": "0",
|
|
"lessThan": "3.7",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "4.19.312",
|
|
"lessThanOrEqual": "4.19.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "5.4.274",
|
|
"lessThanOrEqual": "5.4.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "5.10.215",
|
|
"lessThanOrEqual": "5.10.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "5.15.154",
|
|
"lessThanOrEqual": "5.15.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "6.1.84",
|
|
"lessThanOrEqual": "6.1.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "6.6.24",
|
|
"lessThanOrEqual": "6.6.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "6.7.12",
|
|
"lessThanOrEqual": "6.7.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "6.8.3",
|
|
"lessThanOrEqual": "6.8.*",
|
|
"status": "unaffected",
|
|
"versionType": "custom"
|
|
},
|
|
{
|
|
"version": "6.9",
|
|
"lessThanOrEqual": "*",
|
|
"status": "unaffected",
|
|
"versionType": "original_commit_for_fix"
|
|
}
|
|
],
|
|
"defaultStatus": "affected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc"
|
|
},
|
|
{
|
|
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html",
|
|
"refsource": "MISC",
|
|
"name": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
|
|
},
|
|
{
|
|
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html",
|
|
"refsource": "MISC",
|
|
"name": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "bippy-a5840b7849dd"
|
|
}
|
|
} |