CVE-2024-26982 - Linux Kernel Squashfs Out of Bounds Access Due to Invalid Inode Number

A recently fixed vulnerability in the Linux kernel’s Squashfs filesystem could allow for an out of bounds memory access, potentially leading to system instability or local privilege escalation. Identified as CVE-2024-26982, this issue arises from a failure to properly check inode numbers, allowing an invalid (zero) inode number to slip through certain allocation and metadata routines. In this post, we’ll break down what happened, how the bug occurs, see snippets of the vulnerable code, and understand how the patch resolves the issue. We’ll also look at how this vulnerability might be exploited, what this means for system administrators and users, with links to more in-depth resources.

What is Squashfs?

Squashfs is a compressed read-only filesystem for Linux that is often used in embedded systems, live distributions, and appliances. It’s designed to pack lots of data into a small space for read-only access, which is great for distributing pre-built systems or firmware.

Where’s the Problem?

The bug exists deep in Squashfs’s metadata handling code. Here’s the sequence that causes the issue, step-by-step:

A kernel function fill_meta_index() creates and fills metadata indices.

- If there’s a data read error (for example, when reading from a corrupted or malicious filesystem), the process bails out and sets the inode number in the metadata index to zero. Zero isn’t valid for an inode number, so this should never be used.

The next time fill_meta_index() is invoked, the same invalid index (with inode = ) is reused.

- The code expects the index to be fully initialized, but since it isn’t, reading from it can trigger out of bounds memory access.

Here’s a simplified pseudocode view of where the problem can manifest (for illustration)

// BAD: Metadata index may have inode == 
struct meta_index *fill_meta_index(...)
{
    struct meta_index *index = empty_meta_index(); // new index

    // Attempt to read filesystem data
    if (read_error) {
        index->ino = ; // Marks as unused/invalid
        return NULL;
    }

    // continue using index...
}

When locate_meta_index() later looks for a matching index, it may find an 'empty' index (ino == ) and treat it as usable -- which it is not!

The Fix

A patch to the kernel added a sanity check to prevent inodes with a zero value from ever being created. Now, anytime a new inode is processed, the kernel checks and bails out with an error if the inode value is zero.

Patched Code Snippet

if (inode_number == ) {
    return -EINVAL; // Don't proceed, report invalid inode
}

The check ensures no invalid inode numbers slip into the core Squashfs logic, preventing dangling or out-of-bounds references.

Who Could Exploit This?

Anyone able to mount a crafted Squashfs filesystem could, in theory, trigger this bug. That means local users with mount privileges or physical access could leverage this flaw. Remote exploitation is unlikely unless a remote filesystem mounting service is in play.

Impact

A successful attacker could trigger a kernel crash (leading to a denial of service) or—depending on the rest of the kernel’s memory protection setup—potentially execute code in kernel space or escalate privileges.

How Would an Exploit Work?

A malicious user could create a Squashfs image containing a file with an inode number of zero (which is not normally valid). On mounting, they could trigger the race where the invalid metadata index is reused, causing the kernel to access memory outside intended bounds.

A minimal example exploit might involve

1. Crafted Squashfs Image: Manipulate the superblock or inode table to inject zero as an inode number.
2. Mount the filesystem: Let the kernel process the malformed filesystem and hit the vulnerable code path.

Trigger OOB access: If successful, observe system crash, oops, or other buggy behavior.

*Note: Exploiting kernel memory corruption can be complex, so real-world privilege escalation may require chaining this with other bugs.*

Apply the latest kernel updates from your distribution.

- If you build your own kernels, ensure you have the patch for CVE-2024-26982.

Detection

Unusual kernel crashes (Oops) or reports involving Squashfs may indicate probing attempts. Audit logs for unexpected mount operations can help.

References

- Linux Kernel Mailing List: Patch for CVE-2024-26982
- Upstream Commit
- Squashfs Filesystem Project
- CVE Details for CVE-2024-26982

Conclusion

CVE-2024-26982 is a kernel bug arising from a missing sanity check in the Squashfs filesystem—in effect, a small oversight with potentially big impact. The fix is simple: never handle inodes with the invalid value of zero. Users and administrators should update their kernels promptly, especially on systems where unprivileged users can mount filesystems.

Stay patched—and keep your kernels secure!

If you're interested in kernel security or filesystem bugs, this is a classic example of how small mistakes (like a missing check for zero) can create serious issues. If you have root or kernel build access, always stay up to date. For further reading or patch details, check out the linked resources above.

Timeline

Published on: 05/01/2024 06:15:15 UTC
Last modified on: 03/03/2025 17:47:59 UTC