CVE-2024-26704

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26704
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26704.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26704
Downstream
Related
Published
2024-04-03T15:15:53Z
Modified
2025-08-09T20:01:27Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix double-free of blocks due to wrong extents moved_len

In ext4moveextents(), movedlen is only updated when all moves are successfully executed, and only discards originode and donorinode preallocations when movedlen is not zero. When the loop fails to exit after successfully moving some extents, moved_len is not updated and remains at 0, so it does not discard the preallocations.

If the moved extents overlap with the preallocated extents, the overlapped extents are freed twice in ext4mbreleaseinodepa() and ext4processfreeddata() (as described in commit 94d7c16cbbbd ("ext4: Fix double-free of blocks with EXT4IOCMOVEEXT")), and bbfree is incremented twice. Hence when trim is executed, a zero-division bug is triggered in mbupdateavgfragmentsize() because bbfree is not zero and bb_fragments is zero.

Therefore, update move_len after each extent move to avoid the issue.

References

Affected packages