A recent patch in the Linux kernel addresses a use-after-free vulnerability in the gfs2 filesystem, specifically in the gfs2_qd_dealloc function. This long read post will discuss the details of the vulnerability, explain the code snippet involved, and provide you with relevant links to the original references.

Background

The Global File System 2 (GFS2) is a shared disk file system used by Linux-based clusters. It allows multiple nodes to simultaneously access and modify a single, shared filesystem, making it suitable for parallel processing and high availability environments.

The Vulnerability

The specific vulnerability in question, assigned CVE-2023-52760, occurs when gfs2_qd_dealloc is called after the struct gfs2_sbd has been freed. This results in a use-after-free scenario, which can potentially lead to unpredictable behavior or crashes in user space programs, making it a security concern.

The vulnerability was introduced due to improper handling of quota cleanup in the gfs2_put_super() function. In both successful and unsuccessful (withdrawn) scenarios, the function should call gfs2_quota_cleanup() to clean up any quota structures. Missing this call led to the use-after-free issue.

The relevant code snippet in the gfs2_put_super() function is as follows

static void gfs2_put_super(struct super_block *sb) {
	struct gfs2_sbd *sdp = sb->s_fs_info;

	mutex_lock(&sdp->fss2_statfs_mutex);
	gfs2_statfs_func(sdp);
	mutex_unlock(&sdp->fss2_statfs_mutex);

	gfs2_make_fs_ro(sdp);
  ...

The gfs2_put_super() function starts by locking a mutex and then calls gfs2_make_fs_ro() to attempt to make the filesystem read-only. If this call is successful, it should follow up with proper cleanup of quota structures.

The fix is to properly call gfs2_quota_cleanup() and to avoid duplicating calls to gfs2_destroy_threads() and gfs2_quota_cleanup() after gfs2_make_fs_ro() has been called.

1. Linux Kernel Mailing List (LKML) patch submission
2. GFS2 Documentation

Patch

The patch for this vulnerability has been submitted and merged into the Linux kernel.

Exploit Details

Currently, there is no known direct exploit of this vulnerability. However, use-after-free issues can be leveraged by malicious attackers to execute arbitrary code or crash systems. The prompt patching of this vulnerability minimizes the risk of exploitation.

Conclusion

CVE-2023-52760 highlights the importance of proper memory management and cleanup in the Linux kernel, specifically within the GFS2 filesystem. Thanks to the efforts of the kernel maintainers and the community, this vulnerability has been addressed, reducing potential opportunities for malicious actors to exploit it. As a user or administrator of Linux systems, it's essential to keep your systems up-to-date and apply security patches promptly.

Timeline

Published on: 05/21/2024 16:15:15 UTC
Last modified on: 05/24/2024 01:12:54 UTC