CVE-2024-49958

{"id": "CVE-2024-49958", "cveTags": [], "metrics": {}, "published": "2024-10-21T18:15:17.050", "references": [{"url": "https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: reserve space for inline xattr before attaching reflink tree\n\nOne of our customers reported a crash and a corrupted ocfs2 filesystem. \nThe crash was due to the detection of corruption. Upon troubleshooting,\nthe fsck -fn output showed the below corruption\n\n[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,\nbut fsck believes the largest valid value is 227. Clamp the next record value? n\n\nThe stat output from the debugfs.ocfs2 showed the following corruption\nwhere the \"Next Free Rec:\" had overshot the \"Count:\" in the root metadata\nblock.\n\n Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856)\n FS Generation: 904309833 (0x35e6ac49)\n CRC32: 00000000 ECC: 0000\n Type: Regular Attr: 0x0 Flags: Valid\n Dynamic Features: (0x16) HasXattr InlineXattr Refcounted\n Extended Attributes Block: 0 Extended Attributes Inline Size: 256\n User: 0 (root) Group: 0 (root) Size: 281320357888\n Links: 1 Clusters: 141738\n ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024\n atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024\n mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024\n dtime: 0x0 -- Wed Dec 31 17:00:00 1969\n Refcount Block: 2777346\n Last Extblk: 2886943 Orphan Slot: 0\n Sub Alloc Slot: 0 Sub Alloc Bit: 14\n Tree Depth: 1 Count: 227 Next Free Rec: 230\n ## Offset Clusters Block#\n 0 0 2310 2776351\n 1 2310 2139 2777375\n 2 4449 1221 2778399\n 3 5670 731 2779423\n 4 6401 566 2780447\n ....... .... .......\n ....... .... .......\n\nThe issue was in the reflink workfow while reserving space for inline\nxattr. The problematic function is ocfs2_reflink_xattr_inline(). By the\ntime this function is called the reflink tree is already recreated at the\ndestination inode from the source inode. At this point, this function\nreserves space for inline xattrs at the destination inode without even\nchecking if there is space at the root metadata block. It simply reduces\nthe l_count from 243 to 227 thereby making space of 256 bytes for inline\nxattr whereas the inode already has extents beyond this index (in this\ncase up to 230), thereby causing corruption.\n\nThe fix for this is to reserve space for inline metadata at the destination\ninode before the reflink tree gets recreated. The customer has verified the\nfix."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ocfs2: reserva espacio para xattr en l\u00ednea antes de adjuntar \u00e1rbol reflink Uno de nuestros clientes inform\u00f3 de un fallo y un sistema de archivos ocfs2 da\u00f1ado. El fallo se debi\u00f3 a la detecci\u00f3n de una corrupci\u00f3n. Tras la resoluci\u00f3n de problemas, la salida de fsck -fn mostr\u00f3 la siguiente corrupci\u00f3n [EXTENT_LIST_FREE] La lista de extensiones del propietario 33080590 afirma que 230 es el siguiente registro de cadena libre, pero fsck cree que el valor v\u00e1lido m\u00e1s grande es 227. \u00bfFijar el siguiente valor de registro? n La salida de estad\u00edsticas de debugfs.ocfs2 mostr\u00f3 la siguiente corrupci\u00f3n, donde \"Next Free Rec:\" hab\u00eda superado \"Count:\" en el bloque de metadatos ra\u00edz. Inodo: 33080590 Modo: 0640 Generaci\u00f3n: 2619713622 (0x9c25a856) Generaci\u00f3n FS: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Tipo: Regular Atributo: 0x0 Indicadores: V\u00e1lido Caracter\u00edsticas din\u00e1micas: (0x16) HasXattr InlineXattr Refcounted Bloque de atributos extendidos: 0 Tama\u00f1o en l\u00ednea de atributos extendidos: 256 Usuario: 0 (ra\u00edz) Grupo: 0 (ra\u00edz) Tama\u00f1o: 281320357888 Enlaces: 1 Cl\u00fasteres: 141738 ctime: 0x66911b56 0x316edcb8 -- Vie Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Vie Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Vie Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Mi\u00e9 Dic 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... ....... ....... El problema estaba en el flujo de trabajo de reflink mientras se reservaba espacio para xattr en l\u00ednea. La funci\u00f3n problem\u00e1tica es ocfs2_reflink_xattr_inline(). Para cuando se llama a esta funci\u00f3n, el \u00e1rbol de reflink ya se ha recreado en el inodo de destino a partir del inodo de origen. En este punto, esta funci\u00f3n reserva espacio para xattrs en l\u00ednea en el inodo de destino sin siquiera verificar si hay espacio en el bloque de metadatos ra\u00edz. Simplemente reduce el l_count de 243 a 227, lo que crea un espacio de 256 bytes para xattr en l\u00ednea, mientras que el inodo ya tiene extensiones m\u00e1s all\u00e1 de este \u00edndice (en este caso, hasta 230), lo que provoca corrupci\u00f3n. La soluci\u00f3n para esto es reservar espacio para metadatos en l\u00ednea en el inodo de destino antes de que se vuelva a crear el \u00e1rbol de enlaces de referencia. El cliente ha verificado la soluci\u00f3n."}], "lastModified": "2024-10-23T15:13:25.583", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}