Bug 2265836 (CVE-2024-26601)

Summary: CVE-2024-26601 kernel: ext4: regenerate buddy after block freeing failed if under fc replay
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.8-rc3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's ext4 filesystem related to the fast commit replay process. During this process, blocks that are already marked as free can be incorrectly marked as free again, leading to the corruption of the buddy bitmap, which is used to track free and allocated blocks. This corruption can result in filesystem inconsistencies and potential data loss. The issue is resolved by reintroducing the mb_regenerate_buddy() function, which regenerates the buddy bitmap to ensure its integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2265837    
Bug Blocks: 2267044    

Description Mauro Matteo Cascella 2024-02-24 17:51:43 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ext4: regenerate buddy after block freeing failed if under fc replay

The Linux kernel CVE team has assigned CVE-2024-26601 to this issue.

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024022411-CVE-2024-26601-b6ac@gregkh/T/#u
Comment 1 Mauro Matteo Cascella 2024-02-24 17:52:46 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2265837]
Comment 2 Eric Sandeen 2024-02-24 21:17:26 UTC 
Just a note - although there is no reproducer provided, the claimed problematic commit 6bd97bf273bd is in upstream in v5.11. The fix landed in v6.8.

The problematic commit does not appear to have been backported to RHEL8.
It is present in RHEL9, though.

(It's not clear to me how this bug is a security flaw.)
Comment 4 Justin M. Forbes 2024-02-26 23:48:41 UTC 
This was fixed for Fedora with the 6.7.5 stable kernel updates.