cve-2024-40955
Vulnerability from cvelistv5
Published
2024-07-12 12:31
Modified
2024-12-19 09:08
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()
We can trigger a slab-out-of-bounds with the following commands:
mkfs.ext4 -F /dev/$disk 10G
mount /dev/$disk /tmp/test
echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc
echo test > /tmp/test/file && sync
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]
Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11
CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521
Call Trace:
dump_stack_lvl+0x2c/0x50
kasan_report+0xb6/0xf0
ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]
ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]
ext4_mb_new_blocks+0x88a/0x1370 [ext4]
ext4_ext_map_blocks+0x14f7/0x2390 [ext4]
ext4_map_blocks+0x569/0xea0 [ext4]
ext4_do_writepages+0x10f6/0x1bc0 [ext4]
[...]
==================================================================
The flow of issue triggering is as follows:
// Set s_mb_group_prealloc to 2147483647 via sysfs
ext4_mb_new_blocks
ext4_mb_normalize_request
ext4_mb_normalize_group_request
ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc
ext4_mb_regular_allocator
ext4_mb_choose_next_group
ext4_mb_choose_next_group_best_avail
mb_avg_fragment_size_order
order = fls(len) - 2 = 29
ext4_mb_find_good_group_avg_frag_lists
frag_list = &sbi->s_mb_avg_fragment_size[order]
if (list_empty(frag_list)) // Trigger SOOB!
At 4k block size, the length of the s_mb_avg_fragment_size list is 14,
but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds
to be triggered by an attempt to access an element at index 29.
Add a new attr_id attr_clusters_in_group with values in the range
[0, sbi->s_clusters_per_group] and declare mb_group_prealloc as
that type to fix the issue. In addition avoid returning an order
from mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)
and reduce some useless loops.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:55.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/677ff4589f1501578fa903a25bb14831d0607992"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b829687ae1229224262bcabf49accfa2dbf8db06"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/13df4d44a3aaabe61cd01d277b6ee23ead2a5206"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40955",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:03:45.786138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:24.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c",
"fs/ext4/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "677ff4589f1501578fa903a25bb14831d0607992",
"status": "affected",
"version": "7e170922f06bf46effa7c57f6035fc463d6edc7e",
"versionType": "git"
},
{
"lessThan": "b829687ae1229224262bcabf49accfa2dbf8db06",
"status": "affected",
"version": "7e170922f06bf46effa7c57f6035fc463d6edc7e",
"versionType": "git"
},
{
"lessThan": "13df4d44a3aaabe61cd01d277b6ee23ead2a5206",
"status": "affected",
"version": "7e170922f06bf46effa7c57f6035fc463d6edc7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c",
"fs/ext4/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()\n\nWe can trigger a slab-out-of-bounds with the following commands:\n\n mkfs.ext4 -F /dev/$disk 10G\n mount /dev/$disk /tmp/test\n echo 2147483647 \u003e /sys/fs/ext4/$disk/mb_group_prealloc\n echo test \u003e /tmp/test/file \u0026\u0026 sync\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\nRead of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11\nCPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521\nCall Trace:\n dump_stack_lvl+0x2c/0x50\n kasan_report+0xb6/0xf0\n ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\n ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]\n ext4_mb_new_blocks+0x88a/0x1370 [ext4]\n ext4_ext_map_blocks+0x14f7/0x2390 [ext4]\n ext4_map_blocks+0x569/0xea0 [ext4]\n ext4_do_writepages+0x10f6/0x1bc0 [ext4]\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\n// Set s_mb_group_prealloc to 2147483647 via sysfs\next4_mb_new_blocks\n ext4_mb_normalize_request\n ext4_mb_normalize_group_request\n ac-\u003eac_g_ex.fe_len = EXT4_SB(sb)-\u003es_mb_group_prealloc\n ext4_mb_regular_allocator\n ext4_mb_choose_next_group\n ext4_mb_choose_next_group_best_avail\n mb_avg_fragment_size_order\n order = fls(len) - 2 = 29\n ext4_mb_find_good_group_avg_frag_lists\n frag_list = \u0026sbi-\u003es_mb_avg_fragment_size[order]\n if (list_empty(frag_list)) // Trigger SOOB!\n\nAt 4k block size, the length of the s_mb_avg_fragment_size list is 14,\nbut an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds\nto be triggered by an attempt to access an element at index 29.\n\nAdd a new attr_id attr_clusters_in_group with values in the range\n[0, sbi-\u003es_clusters_per_group] and declare mb_group_prealloc as\nthat type to fix the issue. In addition avoid returning an order\nfrom mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)\nand reduce some useless loops."
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T09:08:52.819Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/677ff4589f1501578fa903a25bb14831d0607992"
},
{
"url": "https://git.kernel.org/stable/c/b829687ae1229224262bcabf49accfa2dbf8db06"
},
{
"url": "https://git.kernel.org/stable/c/13df4d44a3aaabe61cd01d277b6ee23ead2a5206"
}
],
"title": "ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()",
"x_generator": {
"engine": "bippy-5f407fcff5a0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40955",
"datePublished": "2024-07-12T12:31:58.328Z",
"dateReserved": "2024-07-12T12:17:45.592Z",
"dateUpdated": "2024-12-19T09:08:52.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-40955\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-12T13:15:17.697\",\"lastModified\":\"2024-11-21T09:31:56.543\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()\\n\\nWe can trigger a slab-out-of-bounds with the following commands:\\n\\n mkfs.ext4 -F /dev/$disk 10G\\n mount /dev/$disk /tmp/test\\n echo 2147483647 \u003e /sys/fs/ext4/$disk/mb_group_prealloc\\n echo test \u003e /tmp/test/file \u0026\u0026 sync\\n\\n==================================================================\\nBUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\\nRead of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11\\nCPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521\\nCall Trace:\\n dump_stack_lvl+0x2c/0x50\\n kasan_report+0xb6/0xf0\\n ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\\n ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]\\n ext4_mb_new_blocks+0x88a/0x1370 [ext4]\\n ext4_ext_map_blocks+0x14f7/0x2390 [ext4]\\n ext4_map_blocks+0x569/0xea0 [ext4]\\n ext4_do_writepages+0x10f6/0x1bc0 [ext4]\\n[...]\\n==================================================================\\n\\nThe flow of issue triggering is as follows:\\n\\n// Set s_mb_group_prealloc to 2147483647 via sysfs\\next4_mb_new_blocks\\n ext4_mb_normalize_request\\n ext4_mb_normalize_group_request\\n ac-\u003eac_g_ex.fe_len = EXT4_SB(sb)-\u003es_mb_group_prealloc\\n ext4_mb_regular_allocator\\n ext4_mb_choose_next_group\\n ext4_mb_choose_next_group_best_avail\\n mb_avg_fragment_size_order\\n order = fls(len) - 2 = 29\\n ext4_mb_find_good_group_avg_frag_lists\\n frag_list = \u0026sbi-\u003es_mb_avg_fragment_size[order]\\n if (list_empty(frag_list)) // Trigger SOOB!\\n\\nAt 4k block size, the length of the s_mb_avg_fragment_size list is 14,\\nbut an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds\\nto be triggered by an attempt to access an element at index 29.\\n\\nAdd a new attr_id attr_clusters_in_group with values in the range\\n[0, sbi-\u003es_clusters_per_group] and declare mb_group_prealloc as\\nthat type to fix the issue. In addition avoid returning an order\\nfrom mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)\\nand reduce some useless loops.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: arreglar slab-out-of-bounds en ext4_mb_find_good_group_avg_frag_lists() Podemos activar un slab-out-of-bounds con los siguientes comandos: mkfs.ext4 -F /dev/ $disk 10G montaje /dev/$disk /tmp/test echo 2147483647 \u0026gt; /sys/fs/ext4/$disk/mb_group_prealloc echo test \u0026gt; /tmp/test/file \u0026amp;\u0026amp; sync ============ ==================================================== ==== ERROR: KASAN: losa fuera de los l\u00edmites en ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888121b9d0f0 por tarea kworker/u2:0/11 CPU: 0 PID: 11 Comm: kworker/ u2:0 Tainted: GL 6.7.0-next-20240118 #521 Seguimiento de llamadas: dump_stack_lvl+0x2c/0x50 kasan_report+0xb6/0xf0 ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4_mb_regular_allocator+0x19e9 /0x2370 [ext4] text4_mb_new_blocks+0x88a/0x1370 [ text4] text4_ext_map_blocks+0x14f7/0x2390 [ext4] text4_map_blocks+0x569/0xea0 [ext4] text4_do_writepages+0x10f6/0x1bc0 [ext4] [...] ==================== ================================================ El flujo de La activaci\u00f3n del problema es la siguiente: // Establezca s_mb_group_prealloc en 2147483647 a trav\u00e9s de sysfs ext4_mb_new_blocks ext4_mb_normalize_request ext4_mb_normalize_group_request ac-\u0026gt;ac_g_ex.fe_len = EXT4_SB(sb)-\u0026gt;s_mb_group_prealloc ext4_mb_regular_allocator ext4_mb_choose _next_group ext4_mb_choose_next_group_best_avail mb_avg_fragment_size_order orden = fls(len) - 2 = 29 ext4_mb_find_good_group_avg_frag_lists frag_list = \u0026amp;sbi- \u0026gt;s_mb_avg_fragment_size[order] if (list_empty(frag_list)) // \u00a1Activa SOOB! En un tama\u00f1o de bloque de 4k, la longitud de la lista s_mb_avg_fragment_size es 14, pero se establece un s_mb_group_prealloc de gran tama\u00f1o, lo que provoca que los l\u00edmites de losa se activen al intentar acceder a un elemento en el \u00edndice 29. Agregue un nuevo attr_id attr_clusters_in_group con valores en el rango [0, sbi-\u0026gt;s_clusters_per_group] y declare mb_group_prealloc como ese tipo para solucionar el problema. Adem\u00e1s, evite devolver un pedido de mb_avg_fragment_size_order() mayor que MB_NUM_ORDERS(sb) y reduzca algunos bucles in\u00fatiles.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.5\",\"versionEndExcluding\":\"6.6.36\",\"matchCriteriaId\":\"A9A441DF-0244-4D7F-B25A-F692568FFC15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.9.7\",\"matchCriteriaId\":\"0A047AF2-94AC-4A3A-B32D-6AB930D8EF1C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/13df4d44a3aaabe61cd01d277b6ee23ead2a5206\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/677ff4589f1501578fa903a25bb14831d0607992\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b829687ae1229224262bcabf49accfa2dbf8db06\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/13df4d44a3aaabe61cd01d277b6ee23ead2a5206\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/677ff4589f1501578fa903a25bb14831d0607992\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b829687ae1229224262bcabf49accfa2dbf8db06\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.