APPLIED: [SRU][J][PATCH 0/1] CVE-2024-27407

Mehmet Basaran mehmet.basaran at canonical.com
Thu Aug 7 07:33:01 UTC 2025 

Applied to jammy:linux master-next branch. Thanks.

-------------- next part --------------
Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com> writes:

> https://ubuntu.com/security/CVE-2024-27407
>
> [ Impact ]
>
> CVE‑2024‑27407 stems from an incorrect arithmetic overflow check in mi_enum_attr().
> The original code used:
>     if (t16 + le32_to_cpu(attr->res.data_size) > asize)
> This check was flawed: t16 is the current offset and attr->res.data_size is the size of the attribute data.
> Summing them before comparison allows overflow wrap‑around, potentially bypassing the guard and enabling a buffer overflow.
> The correct logic should compute:
>    if (le32_to_cpu(attr->res.data_size) > asize - t16)
> This ensures that data_size itself doesn’t exceed the remaining space (asize ‑ t16),
> preventing mis‑reporting sizes that would overflow the buffer.
>
> [ Fix ]
>
> Plucky: Not affected
> Noble: Not affected
> Jammy: Backported fix commit
>
> [ Test Plan ]
>
> Compile and boot tested.
> Tested ntfs3 stability with stress-ng:
>
> $ sudo mkfs.ntfs -f /dev/sdb1
> Cluster size has been automatically set to 4096 bytes.
> Creating NTFS volume structures.
> mkntfs completed successfully.
> $ sudo mkdir -p /mnt/ntfs3
> $ sudo mount -t ntfs3 /dev/sdb1 /mnt/ntfs3
> $ lsmod | grep ntfs
> ntfs3                 274432  1
>
> $ cd /mnt/ntf3
> $ sudo stress-ng --hdd 4 --aggressive --dentry 4 --timeout 5m --metrics-brief
> stress-ng: info:  [1393] setting to a 300 second (5 mins, 0.00 secs) run per stressor
> stress-ng: info:  [1393] dispatching hogs: 4 hdd, 4 dentry
> stress-ng: info:  [1398] stress-ng-dentry: 16329719 dentries allocated
> stress-ng: info:  [1393] successful run completed in 310.72s (5 mins, 10.72 secs)
> stress-ng: info:  [1393] stressor       bogo ops real time  usr time  sys time   bogo ops/s     bogo ops/s
> stress-ng: info:  [1393]                           (secs)    (secs)    (secs)   (real time) (usr+sys time)
> stress-ng: info:  [1393] hdd              526150    309.39     10.30     39.26      1700.61       10616.42
> stress-ng: info:  [1393] dentry         16355282    306.77     54.78    791.49     53315.06       19326.32
>
> [ Where Problems Could Occur ]
>
> A regression here is unlikely due to the very limited scope
> of the patch.
>
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250807/3b733380/attachment.sig>

More information about the kernel-team mailing list