fkie_cve-2024-50015
Vulnerability from fkie_nvd
Published
2024-10-21 19:15
Modified
2024-10-28 17:13
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: dax: fix overflowing extents beyond inode size when partially writing The dax_iomap_rw() does two things in each iteration: map written blocks and copy user data to blocks. If the process is killed by user(See signal handling in dax_iomap_iter()), the copied data will be returned and added on inode size, which means that the length of written extents may exceed the inode size, then fsck will fail. An example is given as: dd if=/dev/urandom of=file bs=4M count=1 dax_iomap_rw iomap_iter // round 1 ext4_iomap_begin ext4_iomap_alloc // allocate 0~2M extents(written flag) dax_iomap_iter // copy 2M data iomap_iter // round 2 iomap_iter_advance iter->pos += iter->processed // iter->pos = 2M ext4_iomap_begin ext4_iomap_alloc // allocate 2~4M extents(written flag) dax_iomap_iter fatal_signal_pending done = iter->pos - iocb->ki_pos // done = 2M ext4_handle_inode_extension ext4_update_inode_size // inode size = 2M fsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix? Fix the problem by truncating extents if the written length is smaller than expected.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5efccdee4a7d507a483f20f880b809cc4eaef14dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8c30a9a8610c314554997f86370140746aa35661Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a9f331f51515bdb3ebc8d0963131af367ef468f6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/abfaa876b948baaea4d14f21a1963789845c8b4cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dda898d7ffe85931f9cca6d702a51f33717c501ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ec0dd451e236c46e4858d53e9e82bae7797a7af5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f8a7c342326f6ad1dfdb30a18dd013c70f5e9669Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CDEE58F-38CA-430D-99B5-73349FB2715F",
              "versionEndExcluding": "5.10.227",
              "versionStartIncluding": "4.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D51C05D-455B-4D8D-89E7-A58E140B864C",
              "versionEndExcluding": "5.15.168",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE",
              "versionEndExcluding": "6.1.113",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E90B9576-56C4-47BC-AAB0-C5B2D438F5D0",
              "versionEndExcluding": "6.6.55",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C16BCE0-FFA0-4599-BE0A-1FD65101C021",
              "versionEndExcluding": "6.10.14",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9",
              "versionEndExcluding": "6.11.3",
              "versionStartIncluding": "6.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: dax: fix overflowing extents beyond inode size when partially writing\n\nThe dax_iomap_rw() does two things in each iteration: map written blocks\nand copy user data to blocks. If the process is killed by user(See signal\nhandling in dax_iomap_iter()), the copied data will be returned and added\non inode size, which means that the length of written extents may exceed\nthe inode size, then fsck will fail. An example is given as:\n\ndd if=/dev/urandom of=file bs=4M count=1\n dax_iomap_rw\n  iomap_iter // round 1\n   ext4_iomap_begin\n    ext4_iomap_alloc // allocate 0~2M extents(written flag)\n  dax_iomap_iter // copy 2M data\n  iomap_iter // round 2\n   iomap_iter_advance\n    iter-\u003epos += iter-\u003eprocessed // iter-\u003epos = 2M\n   ext4_iomap_begin\n    ext4_iomap_alloc // allocate 2~4M extents(written flag)\n  dax_iomap_iter\n   fatal_signal_pending\n  done = iter-\u003epos - iocb-\u003eki_pos // done = 2M\n ext4_handle_inode_extension\n  ext4_update_inode_size // inode size = 2M\n\nfsck reports: Inode 13, i_size is 2097152, should be 4194304.  Fix?\n\nFix the problem by truncating extents if the written length is smaller\nthan expected."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: dax: se corrige el desbordamiento de extensiones m\u00e1s all\u00e1 del tama\u00f1o del inodo al escribir parcialmente. Dax_iomap_rw() hace dos cosas en cada iteraci\u00f3n: asigna bloques escritos y copia datos de usuario a bloques. Si el usuario finaliza el proceso (consulte el manejo de se\u00f1ales en dax_iomap_iter()), los datos copiados se devolver\u00e1n y se agregar\u00e1n al tama\u00f1o del inodo, lo que significa que la longitud de las extensiones escritas puede exceder el tama\u00f1o del inodo, entonces fsck fallar\u00e1. Se proporciona un ejemplo como: dd if=/dev/urandom of=file bs=4M count=1 dax_iomap_rw iomap_iter // ronda 1 ext4_iomap_begin ext4_iomap_alloc // asignar 0~2M de extensiones (bandera escrita) dax_iomap_iter // copiar 2M de datos iomap_iter // ronda 2 iomap_iter_advance iter-\u0026gt;pos += iter-\u0026gt;processed // iter-\u0026gt;pos = 2M ext4_iomap_begin ext4_iomap_alloc // asignar 2~4M de extensiones (bandera escrita) dax_iomap_iter fatal_signal_pending hecho = iter-\u0026gt;pos - iocb-\u0026gt;ki_pos // hecho = 2M ext4_handle_inode_extension ext4_update_inode_size // tama\u00f1o de inodo = 2M fsck informa: Inodo 13, i_size es 2097152, deber\u00eda ser 4194304. \u00bfSoluci\u00f3n? Solucione el problema truncando las extensiones si la longitud escrita es menor a la esperada."
    }
  ],
  "id": "CVE-2024-50015",
  "lastModified": "2024-10-28T17:13:53.143",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-21T19:15:04.890",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5efccdee4a7d507a483f20f880b809cc4eaef14d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8c30a9a8610c314554997f86370140746aa35661"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a9f331f51515bdb3ebc8d0963131af367ef468f6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/abfaa876b948baaea4d14f21a1963789845c8b4c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/dda898d7ffe85931f9cca6d702a51f33717c501e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ec0dd451e236c46e4858d53e9e82bae7797a7af5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f8a7c342326f6ad1dfdb30a18dd013c70f5e9669"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.