CVE-2024-27070: Linux Kernel F2FS Use-After-Free Vulnerability Resolved

A vulnerability (CVE-2024-27070) has been identified and resolved in the Linux kernel. It's related to the f2fs (Flash-Friendly File System) and could lead to a use-after-free issue which might potentially be exploited by attackers. This blog post will discuss the details of the vulnerability, provide code snippets, and link to the relevant resources.

Exploit Details

The problem was reported by syzbot, an automated testing tool for the Linux kernel that exposes kernel bugs using random Syscall sequences. The reported bug is as follows:

BUG: KASAN: slab-use-after-free in f2_fs_filemap_fault+xd1/x2c f2fs/file.c:49
Read of size 8 at addr ffff88807bb22680 by task syz-executor184/5058

The issue occurs when f2fs_filemap_fault() in the Linux kernel accesses a freed memory by referring an unvalidated vmf->vma after the call to filemap_fault() function. This use-after-free can potentially be exploited by attackers to cause denial of service or arbitrary code execution.

Root Cause and Fix

The root cause of the vulnerability lies in the f2fs_filemap_fault() function in fs/f2fs/file.c file. The vmf->vma may not be alive after the filemap_fault() function is called, causing the use-after-free issue when accessing vmf->vma->vm_flags in trace_f2fs_filemap_fault().

To fix this vulnerability, the solution is to store the vm_flags in a separate temporary variable before running the filemap_fault() function, and then use the stored value for the tracepoint function. Here is the code snippet of the fix:

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 77a7d33ba10c..36ee19b75c20 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -32,7 +32,7 @@ static vm_fault_t f2fs_filemap_fault(struct vm_fault *vmf)
 {
         struct dentry *dentry = vmf->vma->vm_file->f_path.dentry;
         struct inode *inode = d_inode(dentry);
-        vmf->vma->vmFlags = vmf->vma->vm_flags;
+        unsigned long vm_flags = vmf->vma->vm_flags;
 
         trace_f2fs_filemap_fault(inode, vmf->pgoff, FTRACE_INPUT);
 
@@ -47,7 +47,7 @@ static vm_fault_t f2fs_filemap_fault(struct vm_fault *vmf)
                 return readonly_filesystem(inode) ? VM_FAULT_NOPAGE :
                                                      VM_FAULT_SIGBUS;
 
-        trace_f2fs_filemap_fault_done(inode, vmf->vma->vmFlags);
+        trace_f2fs_filemap_fault_done(inode, vm_flags);
         return ret;
 }

References

1. Linux Git Commit
2. Syzbot Bug Report

Conclusion

The use-after-free vulnerability in the Linux kernel's f2fs_filemap_fault() function has been resolved by storing the vm_flags in a separate variable and using the stored value for the tracepoint function. Make sure to update your Linux kernel to the latest version if you are using f2fs to mitigate this vulnerability and prevent potential exploits.

Timeline

Published on: 05/01/2024 13:15:51 UTC
Last modified on: 05/29/2024 05:28:00 UTC