CVE-2024-49958

One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption

[EXTENTLISTFREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n

The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block.

    Inode: 33080590   Mode: 0640   Generation: 2619713622 (0x9c25a856)
    FS Generation: 904309833 (0x35e6ac49)
    CRC32: 00000000   ECC: 0000
    Type: Regular   Attr: 0x0   Flags: Valid
    Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
    Extended Attributes Block: 0  Extended Attributes Inline Size: 256
    User: 0 (root)   Group: 0 (root)   Size: 281320357888
    Links: 1   Clusters: 141738
    ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
    atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
    mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
    dtime: 0x0 -- Wed Dec 31 17:00:00 1969
    Refcount Block: 2777346
    Last Extblk: 2886943   Orphan Slot: 0
    Sub Alloc Slot: 0   Sub Alloc Bit: 14
    Tree Depth: 1   Count: 227   Next Free Rec: 230
    ## Offset        Clusters       Block#
    0  0             2310           2776351
    1  2310          2139           2777375
    2  4449          1221           2778399
    3  5670          731            2779423
    4  6401          566            2780447
    .......          ....           .......
    .......          ....           .......

The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2reflinkxattrinline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the lcount from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption.

The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49958.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ef962df057aaafd714f5c22ba3de1be459571fdf

Fixed

5c9807c523b4fca81d3e8e864dabc8c806402121

Fixed

74364cb578dcc0b6c9109519d19cbe5a56afac9a

Fixed

aac31d654a0a31cb0d2fa36ae694f4e164a52707

Fixed

020f5c53c17f66c0a8f2d37dad27ace301b8d8a1

Fixed

5c2072f02c0d75802ec28ec703b7d43a0dd008b5

Fixed

637c00e06564a945e9d0edb3d78d362d64935f9f

Fixed

9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9

Fixed

96ce4c3537114d1698be635f5e36c62dc49df7a4

Fixed

5ca60b86f57a4d9648f68418a725b3a7de2816b0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

3a32958d2ac96070c53d04bd8e013c97b260b5e6

Last affected

93f26306db89c9dc37885b76a1082e6d54d23b16

Last affected

26a849f49fb3347d126a0ed6611173f903374ef4

Last affected

1e7e4c9ae2a78a6791a2ca91a6a400f94855f01e

Last affected

1926bf8ae44d80c9f50103f11fc4f17e2e2bf684

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49958.json"