CVE-2024-40955
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-40955
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40955.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-40955
- Downstream
- Published
- 2024-07-12T12:31:58Z
- Modified
- 2025-10-17T08:02:35.542902Z
- Summary
- ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-out-of-bounds in ext4mbfindgoodgroupavgfrag_lists()
We can trigger a slab-out-of-bounds with the following commands:
mkfs.ext4 -F /dev/$disk 10G mount /dev/$disk /tmp/test echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc echo test > /tmp/test/file && sync================================================================== BUG: KASAN: slab-out-of-bounds in ext4mbfindgoodgroupavgfraglists+0x8a/0x200 [ext4] Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11 CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521 Call Trace: dumpstacklvl+0x2c/0x50 kasanreport+0xb6/0xf0 ext4mbfindgoodgroupavgfraglists+0x8a/0x200 [ext4] ext4mbregularallocator+0x19e9/0x2370 [ext4] ext4mbnewblocks+0x88a/0x1370 [ext4] ext4extmapblocks+0x14f7/0x2390 [ext4] ext4mapblocks+0x569/0xea0 [ext4] ext4dowritepages+0x10f6/0x1bc0 [ext4]
[...]
The flow of issue triggering is as follows:
// Set smbgroupprealloc to 2147483647 via sysfs ext4mbnewblocks ext4mbnormalizerequest ext4mbnormalizegrouprequest ac->acgex.felen = EXT4SB(sb)->smbgroupprealloc ext4mbregularallocator ext4mbchoosenextgroup ext4mbchoosenextgroupbestavail mbavgfragmentsizeorder order = fls(len) - 2 = 29 ext4mbfindgoodgroupavgfraglists fraglist = &sbi->smbavgfragmentsize[order] if (listempty(frag_list)) // Trigger SOOB!
At 4k block size, the length of the smbavgfragmentsize list is 14, but an oversized smbgroup_prealloc is set, causing slab-out-of-bounds to be triggered by an attempt to access an element at index 29.
Add a new attrid attrclustersingroup with values in the range [0, sbi->sclusterspergroup] and declare mbgroupprealloc as that type to fix the issue. In addition avoid returning an order from mbavgfragmentsizeorder() greater than MBNUM_ORDERS(sb) and reduce some useless loops.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7e170922f06bf46effa7c57f6035fc463d6edc7eFixed677ff4589f1501578fa903a25bb14831d0607992
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7e170922f06bf46effa7c57f6035fc463d6edc7eFixedb829687ae1229224262bcabf49accfa2dbf8db06
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7e170922f06bf46effa7c57f6035fc463d6edc7eFixed13df4d44a3aaabe61cd01d277b6ee23ead2a5206
Affected versions
v6.*
v6.4
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
Database specific
vanir_signatures
[
{
"id": "CVE-2024-40955-06bf65f0",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_mb_choose_next_group_best_avail",
"file": "fs/ext4/mballoc.c"
},
"digest": {
"length": 1177.0,
"function_hash": "91919650547634307144125065300556945468"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13df4d44a3aaabe61cd01d277b6ee23ead2a5206",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-08848e3c",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "mb_avg_fragment_size_order",
"file": "fs/ext4/mballoc.c"
},
"digest": {
"length": 181.0,
"function_hash": "153791406055196987960668338123604578856"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13df4d44a3aaabe61cd01d277b6ee23ead2a5206",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-159d881c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/ext4/mballoc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"39721644310292476363521808788118789979",
"170823731717029789929430966074186030449",
"245307119853743255987417845997331499698",
"85088641324527079685729860382466532748",
"59823204139153382254078337305205703124",
"131156671546782507748032344488177916783",
"6946821057348556959740232985799205526",
"23385510778012978651460937013588446371"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@677ff4589f1501578fa903a25bb14831d0607992",
"signature_type": "Line"
},
{
"id": "CVE-2024-40955-3833bc3d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/ext4/mballoc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"39721644310292476363521808788118789979",
"170823731717029789929430966074186030449",
"245307119853743255987417845997331499698",
"85088641324527079685729860382466532748",
"59823204139153382254078337305205703124",
"131156671546782507748032344488177916783",
"6946821057348556959740232985799205526",
"23385510778012978651460937013588446371"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13df4d44a3aaabe61cd01d277b6ee23ead2a5206",
"signature_type": "Line"
},
{
"id": "CVE-2024-40955-38ffdfa0",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/ext4/sysfs.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"273084477898881614758550476315966995412",
"91142723389001659805969726754605584575",
"119305993483715813409617938695322949718",
"272442390459900454211091663456245529524",
"118659253683007082055754902507247617655",
"201360672329705427603370013258565436337",
"313294583667446827671616155160609800135",
"168493339920354618367048785774773577884",
"80017268624528881303212108903538348781",
"146750978022048267525125673610664064605",
"121984723042494256220399909069271023893",
"167819207698330529782805405548045071791",
"210109133161780438675722325473112388723",
"126207171614939410608443581734377986864",
"61458173896832370154729387451534113905",
"226794527639468943759366845134245697214",
"69186247518411810698614541479831846233",
"335225710081102766234704518254295414477",
"332272613640865980724139470006235373538",
"325028783880334738337636736504705288504",
"251027205035095671694075225144677502578",
"102951606183141966508323256673479468558",
"35718086299916677030030056880631192288"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@677ff4589f1501578fa903a25bb14831d0607992",
"signature_type": "Line"
},
{
"id": "CVE-2024-40955-533159d8",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_generic_attr_show",
"file": "fs/ext4/sysfs.c"
},
"digest": {
"length": 1015.0,
"function_hash": "84531026958008698969695216576219476767"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13df4d44a3aaabe61cd01d277b6ee23ead2a5206",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-53a40cfa",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_attr_show",
"file": "fs/ext4/sysfs.c"
},
"digest": {
"length": 2150.0,
"function_hash": "321857709272258536107459065484291437352"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@677ff4589f1501578fa903a25bb14831d0607992",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-72083d52",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/ext4/mballoc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"39721644310292476363521808788118789979",
"170823731717029789929430966074186030449",
"245307119853743255987417845997331499698",
"85088641324527079685729860382466532748",
"59823204139153382254078337305205703124",
"131156671546782507748032344488177916783",
"6946821057348556959740232985799205526",
"23385510778012978651460937013588446371"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b829687ae1229224262bcabf49accfa2dbf8db06",
"signature_type": "Line"
},
{
"id": "CVE-2024-40955-79590735",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/ext4/sysfs.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"273084477898881614758550476315966995412",
"91142723389001659805969726754605584575",
"119305993483715813409617938695322949718",
"272442390459900454211091663456245529524",
"118659253683007082055754902507247617655",
"201360672329705427603370013258565436337",
"313294583667446827671616155160609800135",
"168493339920354618367048785774773577884",
"80017268624528881303212108903538348781",
"146750978022048267525125673610664064605",
"121984723042494256220399909069271023893",
"167819207698330529782805405548045071791",
"210109133161780438675722325473112388723",
"126207171614939410608443581734377986864",
"61458173896832370154729387451534113905",
"226794527639468943759366845134245697214",
"69186247518411810698614541479831846233",
"335225710081102766234704518254295414477",
"332272613640865980724139470006235373538",
"325028783880334738337636736504705288504",
"251027205035095671694075225144677502578",
"102951606183141966508323256673479468558",
"35718086299916677030030056880631192288"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b829687ae1229224262bcabf49accfa2dbf8db06",
"signature_type": "Line"
},
{
"id": "CVE-2024-40955-84cdf69d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "fs/ext4/sysfs.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"273084477898881614758550476315966995412",
"91142723389001659805969726754605584575",
"119305993483715813409617938695322949718",
"272442390459900454211091663456245529524",
"118659253683007082055754902507247617655",
"201360672329705427603370013258565436337",
"313294583667446827671616155160609800135",
"168493339920354618367048785774773577884",
"80017268624528881303212108903538348781",
"146750978022048267525125673610664064605",
"121984723042494256220399909069271023893",
"167819207698330529782805405548045071791",
"210109133161780438675722325473112388723",
"126207171614939410608443581734377986864",
"61458173896832370154729387451534113905",
"337835094830656959776359796894896455844",
"209407421024080011657258907359821626508",
"153647603425151904560667281221827193728",
"173319711316502744818647235541407658861",
"325028783880334738337636736504705288504",
"251027205035095671694075225144677502578",
"40699202075470728934069711668086580378",
"2402655512173173613880873910218386791"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13df4d44a3aaabe61cd01d277b6ee23ead2a5206",
"signature_type": "Line"
},
{
"id": "CVE-2024-40955-854ad84a",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_attr_show",
"file": "fs/ext4/sysfs.c"
},
"digest": {
"length": 2150.0,
"function_hash": "321857709272258536107459065484291437352"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b829687ae1229224262bcabf49accfa2dbf8db06",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-85b5e3b0",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "mb_avg_fragment_size_order",
"file": "fs/ext4/mballoc.c"
},
"digest": {
"length": 181.0,
"function_hash": "153791406055196987960668338123604578856"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@677ff4589f1501578fa903a25bb14831d0607992",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-86c4c02e",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "mb_avg_fragment_size_order",
"file": "fs/ext4/mballoc.c"
},
"digest": {
"length": 181.0,
"function_hash": "153791406055196987960668338123604578856"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b829687ae1229224262bcabf49accfa2dbf8db06",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-9e74e865",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_attr_store",
"file": "fs/ext4/sysfs.c"
},
"digest": {
"length": 1053.0,
"function_hash": "336786202378473398330914870493466063143"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@677ff4589f1501578fa903a25bb14831d0607992",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-b93a8115",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_mb_choose_next_group_best_avail",
"file": "fs/ext4/mballoc.c"
},
"digest": {
"length": 1191.0,
"function_hash": "41019187861389523888504955963308377047"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@677ff4589f1501578fa903a25bb14831d0607992",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-cace8cdd",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_attr_store",
"file": "fs/ext4/sysfs.c"
},
"digest": {
"length": 1053.0,
"function_hash": "336786202378473398330914870493466063143"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b829687ae1229224262bcabf49accfa2dbf8db06",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-e61176a2",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_mb_choose_next_group_best_avail",
"file": "fs/ext4/mballoc.c"
},
"digest": {
"length": 1177.0,
"function_hash": "91919650547634307144125065300556945468"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b829687ae1229224262bcabf49accfa2dbf8db06",
"signature_type": "Function"
},
{
"id": "CVE-2024-40955-e7deb59a",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ext4_generic_attr_store",
"file": "fs/ext4/sysfs.c"
},
"digest": {
"length": 669.0,
"function_hash": "209728422876054407950788752689235472818"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13df4d44a3aaabe61cd01d277b6ee23ead2a5206",
"signature_type": "Function"
}
]