ACK: [SRU][J][PATCH 0/1] CVE-2024-27407

Thibault Ferrante thibault.ferrante at canonical.com
Tue Aug 5 12:57:18 UTC 2025 

Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>

On 04/08/2025 19:19, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-27407
> 
> [ Impact ]
> 
> CVE‑2024‑27407 stems from an incorrect arithmetic overflow check in mi_enum_attr().
> The original code used:
>      if (t16 + le32_to_cpu(attr->res.data_size) > asize)
> This check was flawed: t16 is the current offset and attr->res.data_size is the size of the attribute data.
> Summing them before comparison allows overflow wrap‑around, potentially bypassing the guard and enabling a buffer overflow.
> The correct logic should compute:
>     if (le32_to_cpu(attr->res.data_size) > asize - t16)
> This ensures that data_size itself doesn’t exceed the remaining space (asize ‑ t16),
> preventing mis‑reporting sizes that would overflow the buffer.
> 
> [ Fix ]
> 
> Plucky: Not affected
> Noble: Not affected
> Jammy: Backported fix commit
> 
> [ Test Plan ]
> 
> Compile and boot tested.
> Tested ntfs3 stability with stress-ng:
> 
> $ sudo mkfs.ntfs -f /dev/sdb1
> Cluster size has been automatically set to 4096 bytes.
> Creating NTFS volume structures.
> mkntfs completed successfully.
> $ sudo mkdir -p /mnt/ntfs3
> $ sudo mount -t ntfs3 /dev/sdb1 /mnt/ntfs3
> $ lsmod | grep ntfs
> ntfs3                 274432  1
> 
> $ cd /mnt/ntf3
> $ sudo stress-ng --hdd 4 --aggressive --dentry 4 --timeout 5m --metrics-brief
> stress-ng: info:  [1393] setting to a 300 second (5 mins, 0.00 secs) run per stressor
> stress-ng: info:  [1393] dispatching hogs: 4 hdd, 4 dentry
> stress-ng: info:  [1398] stress-ng-dentry: 16329719 dentries allocated
> stress-ng: info:  [1393] successful run completed in 310.72s (5 mins, 10.72 secs)
> stress-ng: info:  [1393] stressor       bogo ops real time  usr time  sys time   bogo ops/s     bogo ops/s
> stress-ng: info:  [1393]                           (secs)    (secs)    (secs)   (real time) (usr+sys time)
> stress-ng: info:  [1393] hdd              526150    309.39     10.30     39.26      1700.61       10616.42
> stress-ng: info:  [1393] dentry         16355282    306.77     54.78    791.49     53315.06       19326.32
> 
> [ Where Problems Could Occur ]
> 
> A regression here is unlikely due to the very limited scope
> of the patch.
> 
>

More information about the kernel-team mailing list