CVE-2023-52601: Linux Kernel jfs: fix array-index-out-of-bounds in dbAdjTree

A newly discovered vulnerability in the Linux kernel has been resolved: CVE-2023-52601. This vulnerability affects the Journaled File System (JFS) and could lead to array-index-out-of-bounds issues in the dbAdjTree function. In this post, we will discuss the details of this vulnerability, provide code snippets for better understanding, and include links to the original references.

Exploit Details

The dbAdjTree function in the JFS is responsible for adjusting the disk allocation maps; however, there is a missing bound check when accessing the dmt_stree array, potentially leading to an array-index-out-of-bounds issue. This can result in denial of service, data corruption, or other potential security issues.

To resolve this vulnerability, a boolean variable called is_ctl has been added, which is required to determine the correct size of the dmt_stree array. This comes as a suggested fix in the following commit:
https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6ff9e75f4fa@oracle.com/

Code Snippet

The following code snippet demonstrates the changes made to fix the vulnerability in the Linux kernel.

/* existing code */
#define BSIZE 4096
#define L2BSIZE 12
/* ... */
bool is_ctl; /* newly added bool variable to check if control page or not */

/* ... */
/* Following lines of code determine if it's a control page or not */
is_ctl = (level == 3 && offset == 1);

/* ... */
if (!is_ctl) {
  for (index = offset; index < LPERCTL; index++) {
/*code to access dmt_stree with required checks */ 
  }
} else {
  for (index = offset; index < LPERCTL-1; index++) {
/*code to access dmt_stree with required checks */ 
  }
}

The above code adds a new boolean variable is_ctl to determine if it's a control page or not, based on the tree level and offset. Finally, depending on the value of is_ctl, the size of the dmt_stree array is adjusted accordingly when iterating through the loop, effectively eliminating the array-index-out-of-bounds issue.

For more information and the full source-code fix, please refer to the following references

- Linux Kernel Mailing List (LKML) discussion and patch proposal: https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6ff9e75f4fa@oracle.com/
- Linux kernel JFS source code: https://github.com/torvalds/linux/tree/master/fs/jfs

Conclusion

CVE-2023-52601 has been resolved by adding a boolean check to ensure the correct size of the dmt_stree array when accessing it in the Linux kernel's JFS. This fix addresses the array-index-out-of-bounds issue, thus preventing potential security problems and improving overall stability. Users are advised to update their Linux kernel to the latest version that includes this patch for improved security and stability.

Timeline

Published on: 03/06/2024 07:15:10 UTC
Last modified on: 06/27/2024 12:15:15 UTC