{"id":"CVE-2024-40955","summary":"ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()\n\nWe can trigger a slab-out-of-bounds with the following commands:\n\n    mkfs.ext4 -F /dev/$disk 10G\n    mount /dev/$disk /tmp/test\n    echo 2147483647 \u003e /sys/fs/ext4/$disk/mb_group_prealloc\n    echo test \u003e /tmp/test/file && sync\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\nRead of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11\nCPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521\nCall Trace:\n dump_stack_lvl+0x2c/0x50\n kasan_report+0xb6/0xf0\n ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\n ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]\n ext4_mb_new_blocks+0x88a/0x1370 [ext4]\n ext4_ext_map_blocks+0x14f7/0x2390 [ext4]\n ext4_map_blocks+0x569/0xea0 [ext4]\n ext4_do_writepages+0x10f6/0x1bc0 [ext4]\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\n// Set s_mb_group_prealloc to 2147483647 via sysfs\next4_mb_new_blocks\n  ext4_mb_normalize_request\n    ext4_mb_normalize_group_request\n      ac-\u003eac_g_ex.fe_len = EXT4_SB(sb)-\u003es_mb_group_prealloc\n  ext4_mb_regular_allocator\n    ext4_mb_choose_next_group\n      ext4_mb_choose_next_group_best_avail\n        mb_avg_fragment_size_order\n          order = fls(len) - 2 = 29\n        ext4_mb_find_good_group_avg_frag_lists\n          frag_list = &sbi-\u003es_mb_avg_fragment_size[order]\n          if (list_empty(frag_list)) // Trigger SOOB!\n\nAt 4k block size, the length of the s_mb_avg_fragment_size list is 14,\nbut an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds\nto be triggered by an attempt to access an element at index 29.\n\nAdd a new attr_id attr_clusters_in_group with values in the range\n[0, sbi-\u003es_clusters_per_group] and declare mb_group_prealloc as\nthat type to fix the issue. In addition avoid returning an order\nfrom mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)\nand reduce some useless loops.","modified":"2026-04-02T12:17:23.033829Z","published":"2024-07-12T12:31:58.328Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40955.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/13df4d44a3aaabe61cd01d277b6ee23ead2a5206"},{"type":"WEB","url":"https://git.kernel.org/stable/c/677ff4589f1501578fa903a25bb14831d0607992"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b829687ae1229224262bcabf49accfa2dbf8db06"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40955.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40955"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7e170922f06bf46effa7c57f6035fc463d6edc7e"},{"fixed":"677ff4589f1501578fa903a25bb14831d0607992"},{"fixed":"b829687ae1229224262bcabf49accfa2dbf8db06"},{"fixed":"13df4d44a3aaabe61cd01d277b6ee23ead2a5206"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40955.json"}}],"schema_version":"1.7.5"}