Homepage
About Snyk

Off-by-one Error Affecting kernel-debug package, versions *

Severity

 Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating

    Threat Intelligence

    EPSS
    0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RHEL7-KERNELDEBUG-8241140
  • published 22 Oct 2024
  • disclosed 21 Oct 2024
Report a new vulnerability Found a mistake?

Introduced: 21 Oct 2024

CVE-2024-49880 Open this link in a new tab
CWE-193 Open this link in a new tab

How to fix?

There is no fixed version for RHEL:7 kernel-debug.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-debug package and not the kernel-debug package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix off by one issue in alloc_flex_gd()

Wesley reported an issue:

================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0x99/0xd0 x64_sys_call+0x1206/0x20d0 do_syscall_64+0x72/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

While reviewing the patch, Honza found that when adjusting resize_bg in alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than flexbg_size.

The reproduction of the problem requires the following:

o_group = flexbg_size * 2 * n; o_size = (o_group + 1) * group_size; n_group: [o_group + flexbg_size, o_group + flexbg_size * 2) o_size = (n_group + 1) * group_size;

Take n=0,flexbg_size=16 as an example:

          last:15

|o---------------|--------------n-| o_group:0 resize to n_group:30

The corresponding reproducer is:

img=test.img rm -f $img truncate -s 600M $img mkfs.ext4 -F $img -b 1024 -G 16 8M dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 248M

Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE() to prevent the issue from happening again.

[ Note: another reproucer which this commit fixes is:

img=test.img rm -f $img truncate -s 25MiB $img mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img truncate -s 3GiB $img dev=losetup -f --show $img mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 3G umount $dev losetup -d $dev

-- TYT ]

CVSS Scores

version 3.1
Expand this section

NVD

7.8 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

Red Hat

5.5 medium