CVE-2024-53690: Linux Kernel Vulnerability in nilfs2 Resolved - Prevent Use of Deleted Inode

In the Linux kernel, a vulnerability has been resolved involving nilfs2, the New Implementation of a Log-structured File System. The vulnerability was reported by syzbot, an automated testing system for Linux that identifies and reports kernel bugs [1]. The issue arises when the inode bitmap in nilfs2 is corrupted, leading to inode duplication and underflow of i_nlink during rmdir operations. In this post, we will provide further details on the vulnerability, including code snippets and links to original references, as well as information on the exploit.

Syzbot reported a WARNING in the nilfs_rmdir function, as seen in the following code snippet [1]

WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+xc4/x110 fs/inode.c:407
...
Call Trace:
 <TASK>
 nilfs_rmdir+x1b/x250 fs/nilfs2/namei.c:342
 vfs_rmdir+x3a3/x510 fs/namei.c:4394
 do_rmdir+x3b5/x580 fs/namei.c:4453
 __do_sys_rmdir fs/namei.c:4472 [inline]
 __se_sys_rmdir fs/namei.c:447 [inline]
 __x64_sys_rmdir+x47/x50 fs/namei.c:447
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+xf3/x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+x77/x7f

The warning is due to an inode with an inode number that should exist as a ".nilfs" file being reassigned by nilfs_mkdir for a "file", resulting in an inode duplication during execution. This duplication causes an underflow of i_nlink when performing rmdir operations. The same task uses the inode twice to unmount and remove directories ".nilfs" and "file", triggering a warning in nilfs_rmdir.

Solution

To resolve this issue, the proposed fix involves checking i_nlink in the nilfs_iget() function. If i_nlink is equal to zero, it indicates that the inode has been deleted, and iput is executed to reclaim it.

References

[1] syzbot: WARNING in nilfs_rmdir

Conclusion

The Linux kernel vulnerability in nilfs2, identified as CVE-2024-53690, has been resolved through an effective solution that prevents the use of a deleted inode. By checking i_nlink in the nilfs_iget() function and executing iput to reclaim the inode if necessary, this fix helps avoid inode duplication and subsequent underflow issues during rmdir operations. Following good security practices and promptly applying patches when available will help keep your Linux systems secure and up to date.

Timeline

Published on: 01/11/2025 13:15:26 UTC
Last modified on: 01/20/2025 06:22:03 UTC