CVE-2023-52604: Linux Kernel Vulnerability - FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree

The Linux Kernel, at the core of every Linux Operating System, plays a crucial role in ensuring the smooth functioning of the system and maintaining system security. A recent vulnerability, however, posed a challenge to this security. This post delves into the details of this vulnerability, how it was reported, and the solution that was implemented.

The vulnerability in question is related to the following

FS: JFS (IBM's Journaling File System)
UBSAN: Undefined Behavior Sanitizer (a debugging tool)

The problem, identified as an array-index-out-of-bounds issue, occurs in the dbAdjTree function within the jfs_dmap.c file. This function plays a critical role in handling the tree structures when working with files.

It has been assigned the following CVE ID: CVE-2023-52604

*_Issue Reporting_*

The issue was reported by the syzkaller tool, a powerful kernel fuzzer backed by Google's OSS-Fuzz project. The report indicated that an out-of-bounds access occurred in the file fs/jfs/jfs_dmap.c. Here's a snippet of the call trace reported:

dbAdjTree+x474/x4f fs/jfs/jfs_dmap.c:2867
dbJoin+x210/x2d fs/jfs/jfs_dmap.c:2834
dbFreeBits+x4eb/xda fs/jfs/jfs_dmap.c:2331
dbFreeDmap fs/jfs/jfs_dmap.c:208 [inline]
dbFree+x343/x650 fs/jfs/jfs_dmap.c:402
txFreeMap+x798/xd50 fs/jfs/jfs_txnmgr.c:2534
txUpdateMap+x342/x9e
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+x47a/xb70 fs/jfs/jfs_txnmgr.c:2732
kthread+x2d3/x370 kernel/kthread.c:388
ret_from_fork+x48/x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+x11/x20 arch/x86/entry/entry_64.S:304

The root cause of the issue was identified as the value of lp exceeding the maximum size of stree (which is CTLTREESIZE).

*_Resolution_*

The solution to this issue was simple but effective. By introducing a check to verify if the value of lp is greater than CTLTREESIZE, the out-of-bounds access can be prevented. Dave, a contributor to the Linux Kernel, further improved the patch by implementing WARN_ON_ONCE as an added error-checking mechanism as a more intrusive code reorganization would result in a function return of void.

The patch has been verified and tested using the syzbot tool and is now part of the official Linux Kernel codebase.

*_Conclusion_*

The resolution of CVE-2023-52604 highlights the importance of continuous monitoring and diligent debugging in maintaining the security and stability of systems that rely on the Linux Kernel. With the patch now in place, users can be assured that their systems are protected from this particular vulnerability.

For further details on the original discussion and resolution, you can follow the following link on the Linux Kernel Mailing List (LKML): lkml.org/lkml/202/10/19/253

Timeline

Published on: 03/06/2024 07:15:11 UTC
Last modified on: 06/27/2024 12:15:15 UTC