CVE-2024-26956 - Fixing Linux Kernel Vulnerability in nilfs2: Detecting DAT Corruption in btree and Direct Mappings

In the Linux kernel, a critical vulnerability has been fixed concerning the nilfs2 file system. This vulnerability, identified as CVE-2024-26956, caused a kernel bug in submit_bh_wbc() when writing file data to a nilfs2 file system with corrupted metadata. The issue arises due to two flaws present in the system, both of which are addressed in the latest patches. Users are advised to update their Linux kernel to the latest version to ensure their systems are protected against this vulnerability.

First Flaw

In the function nilfs_get_block(), when it locates a data block using btree or direct mapping, it can pass the internal code -ENOENT if nilfs_dat_translate() fails due to DAT metadata corruption. This incorrect behavior causes nilfs_get_block() to misidentify an existing block as a non-existent one, leading to inconsistent failures for data block lookup and insertion.

Second Flaw

nilfs_get_block() returns a successful status code in the inconsistent state mentioned above. Consequently, the caller function __block_write_begin_int() (or other similar callers) requests a buffer read even though the buffer is not mapped. This issue results in a failing BUG_ON check for the BH_Mapped flag in the submit_bh_wbc() function.

The patch to resolve these issues can be found in the patch series "nilfs2: fix kernel bug at submit_bh_wbc()." Specifically, this patch fixes the first flaw by changing the return value to code -EINVAL when a conversion using DAT fails with code -ENOENT. As a result, the conflicting condition leading to the kernel bug is avoided. Here, code -EINVAL indicates that metadata corruption was detected during the block lookup, which will be properly handled as a file system error and converted to -EIO when passing through the nilfs2 bmap layer.

To review the complete patch and learn more about the changes made, refer to the original message(s) on the discussion thread. Please note that it is crucial to apply both patches in the series to ensure the vulnerability is entirely fixed.

With the release of this patch series, the Linux kernel has become more robust and secure against potential file system corruption threats. Users are strongly encouraged to update their kernels to the latest available version to safeguard their systems.

For further reading, please check the following references

1. CVE-2024-26956 detailed report
2. Patch series "nilfs2: fix kernel bug at submit_bh_wbc()"

Timeline

Published on: 05/01/2024 06:15:11 UTC
Last modified on: 06/27/2024 13:15:57 UTC