{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: dax: fix overflowing extents beyond inode size when partially writing", "id" : "2320531", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320531" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-1214", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: dax: fix overflowing extents beyond inode size when partially writing\nThe dax_iomap_rw() does two things in each iteration: map written blocks\nand copy user data to blocks. If the process is killed by user(See signal\nhandling in dax_iomap_iter()), the copied data will be returned and added\non inode size, which means that the length of written extents may exceed\nthe inode size, then fsck will fail. An example is given as:\ndd if=/dev/urandom of=file bs=4M count=1\ndax_iomap_rw\niomap_iter // round 1\next4_iomap_begin\next4_iomap_alloc // allocate 0~2M extents(written flag)\ndax_iomap_iter // copy 2M data\niomap_iter // round 2\niomap_iter_advance\niter->pos += iter->processed // iter->pos = 2M\next4_iomap_begin\next4_iomap_alloc // allocate 2~4M extents(written flag)\ndax_iomap_iter\nfatal_signal_pending\ndone = iter->pos - iocb->ki_pos // done = 2M\next4_handle_inode_extension\next4_update_inode_size // inode size = 2M\nfsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix?\nFix the problem by truncating extents if the written length is smaller\nthan expected.", "An inode corruption flaw was found in the Linux kernel's Ext4 file system functionality related to how a user can interrupt a write using the dax_iomap_rw()function. This flaw allows a local user to make non-fatal mistakes with Ext4, leading to a file system denial of service." ], "statement" : "The issue is within the logic of Ext4 when dax_iomap_rw() fails or similar, such as when the process is terminated by a user that is handled by dax_iomap_iter(). This is not a fatal error and doesn't lead to kernel panic or the file system being broken. However, it can lead to some issues in Ext4 that can be fixed later with fsck. This is considered a Low impact security issue, due to the bug in the logic of Ext4, but is rated Moderate because it falls between Low and Moderate levels. This issues does not affect Red Hat Enterprise Linux 8 as it uses an older version of Ext4. Red Hat Enterprise Linux 9 will be fixed in the latest versions.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50015\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50015\nhttps://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-50015-1eb0@gregkh/T" ], "name" : "CVE-2024-50015", "csaw" : false }