From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Jan Kara <jack@suse.cz>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
linux-cve-announce@vger.kernel.org
Subject: Re: CVE-2024-26774: ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt
Date: Wed, 17 Apr 2024 18:12:04 +0200 [thread overview]
Message-ID: <2024041721-reboot-squall-310e@gregkh> (raw)
In-Reply-To: <20240417145446.uh2rqcbxlebnkbfm@quack3>
On Wed, Apr 17, 2024 at 04:54:46PM +0200, Jan Kara wrote:
> On Wed 17-04-24 15:30:03, Greg Kroah-Hartman wrote:
> > On Wed, Apr 17, 2024 at 01:43:24PM +0200, Jan Kara wrote:
> > > Hello!
> > >
> > > On Wed 03-04-24 19:31:41, Greg Kroah-Hartman wrote:
> > > > Description
> > > > ===========
> > > >
> > > > In the Linux kernel, the following vulnerability has been resolved:
> > > >
> > > > ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt
> > > >
> > > > Determine if bb_fragments is 0 instead of determining bb_free to eliminate
> > > > the risk of dividing by zero when the block bitmap is corrupted.
> > > >
> > > > The Linux kernel CVE team has assigned CVE-2024-26774 to this issue.
> > >
> > > I'd like to understand what is the imagined security threat fixed by this
> > > patch (as multiple patches of similar nature got assigned a CVE). The patch
> > > fixes a bug that if a corrupted filesystem is read-write mounted, we can do
> > > division-by-zero. Now if you can make the system mount a corrupted
> > > filesystem, you can do many interesting things to the system other than
> > > create a division by zero... So what is the presumed threat model here?
> >
> > Exactly what you said, "if you mount a corrupted file system, you will
> > get a divide by zero fault."
> >
> > Many systems auto-mount any filesystem plugged into it. If yours do
> > not, then yours does not need to worry about this type of CVE.
>
> OK, understood. But let me state that with the current state of affairs in
> the filesystem land, it will not take a determined attacker long to get
> arbitrary code execution out of "maliciously corrupted fs mounted". The
> code of most filesystems has simply never been written with the assumption
> that it can be presented with malicious data and we have hundreds of
> thousands lines of code like that. We have fixed the most glaring problems
> but by far not all (partly because of performance and maintenance costs,
> partly because they are baked into on-disk formats).
I totally agree. It's up to the distros to stop doing this if they wish
to stop this problem from happening.
thanks,
greg k-h
prev parent reply other threads:[~2024-04-17 16:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-03 17:31 CVE-2024-26774: ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt Greg Kroah-Hartman
2024-04-17 11:43 ` Jan Kara
2024-04-17 13:30 ` Greg Kroah-Hartman
2024-04-17 14:54 ` Jan Kara
2024-04-17 15:29 ` Theodore Ts'o
2024-04-17 16:12 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024041721-reboot-squall-310e@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=jack@suse.cz \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.