[SRU][J][PATCH 0/1] CVE-2024-27407

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Mon Aug 4 17:19:15 UTC 2025 

https://ubuntu.com/security/CVE-2024-27407

[ Impact ]

CVE‑2024‑27407 stems from an incorrect arithmetic overflow check in mi_enum_attr().
The original code used:
    if (t16 + le32_to_cpu(attr->res.data_size) > asize)
This check was flawed: t16 is the current offset and attr->res.data_size is the size of the attribute data.
Summing them before comparison allows overflow wrap‑around, potentially bypassing the guard and enabling a buffer overflow.
The correct logic should compute:
   if (le32_to_cpu(attr->res.data_size) > asize - t16)
This ensures that data_size itself doesn’t exceed the remaining space (asize ‑ t16),
preventing mis‑reporting sizes that would overflow the buffer.

[ Fix ]

Plucky: Not affected
Noble: Not affected
Jammy: Backported fix commit

[ Test Plan ]

Compile and boot tested.
Tested ntfs3 stability with stress-ng:

$ sudo mkfs.ntfs -f /dev/sdb1
Cluster size has been automatically set to 4096 bytes.
Creating NTFS volume structures.
mkntfs completed successfully.
$ sudo mkdir -p /mnt/ntfs3
$ sudo mount -t ntfs3 /dev/sdb1 /mnt/ntfs3
$ lsmod | grep ntfs
ntfs3                 274432  1

$ cd /mnt/ntf3
$ sudo stress-ng --hdd 4 --aggressive --dentry 4 --timeout 5m --metrics-brief
stress-ng: info:  [1393] setting to a 300 second (5 mins, 0.00 secs) run per stressor
stress-ng: info:  [1393] dispatching hogs: 4 hdd, 4 dentry
stress-ng: info:  [1398] stress-ng-dentry: 16329719 dentries allocated
stress-ng: info:  [1393] successful run completed in 310.72s (5 mins, 10.72 secs)
stress-ng: info:  [1393] stressor       bogo ops real time  usr time  sys time   bogo ops/s     bogo ops/s
stress-ng: info:  [1393]                           (secs)    (secs)    (secs)   (real time) (usr+sys time)
stress-ng: info:  [1393] hdd              526150    309.39     10.30     39.26      1700.61       10616.42
stress-ng: info:  [1393] dentry         16355282    306.77     54.78    791.49     53315.06       19326.32

[ Where Problems Could Occur ]

A regression here is unlikely due to the very limited scope
of the patch.

More information about the kernel-team mailing list