CVE CyberSecurity Database News

CVE-2021-47004 - Linux Kernel f2fs Vulnerability Explained

Poster -

If you deal with filesystems on Linux, especially flash-based storage, you might have come across f2fs, the Flash-Friendly File System. In mid 2021, the Linux kernel's f2fs codebase was found to have a subtle but dangerous bug, now tracked as CVE-2021-47004. This post breaks down the issue, how it could corrupt your data, and how the Linux community fixed it.

What Is CVE-2021-47004?

CVE-2021-47004 is a logic flaw in the f2fs (Flash-Friendly File System) code in the Linux kernel. It specifically affects the get_victim() function, which is responsible for garbage collection and victim selection for new data allocation in certain modes.

Where Was the Mistake?

The root of the bug is how f2fs decides which segment or section of the storage to select as "victim" for garbage collection (GC) or new writes, especially in checkpoint (CP) disabling mode. Two related problems existed:

1. Not Checking Whole Section for Checkpointed Data

When running in "LFS" (Log-structured File System) mode and doing garbage collection, we should never pick a section with any checkpointed data as a victim. Once GC has finished, such a section can't be freed for reuse. The buggy code, however, only checked the *current segment*, not the *whole section*.

2. Risky Segment Selection in AT_SSR or SSR Mode

When using SSR (Segment Selective Reuse) or AT_SSR allocation modes, f2fs tries to find a segment for writing where checkpointed data and new data can fit fully. If f2fs mistakenly selects a segment that *still has checkpointed data*, and if the allocator tries to fully fill it, it may result in a kernel panic or even silent data corruption.

The "target" now has *n* checkpointed valid blocks and (512-n) new valid blocks.

- If SSR/AT_SSR allocator picks this segment for new writes (which it shouldn't), but there's no actual free space, a panic or data corruption can happen.

Before (Vulnerable)

// Only checks in the current segment, not the whole section
if (has_checkpointed_data_in_segment(segno))
    continue;

After (Patched)

// Correctly checks entire section for checkpointed data
if (has_checkpointed_data_in_section(segno))
    continue;

The change is subtle, but crucial. Instead of only checking for checkpointed data in a single segment, the fix ensures that the entire section is checked, avoiding selection of any "tainted" area.

Affected Versions

This bug affected major Linux kernel versions before the fix was merged upstream. Most distributions based on those kernels and using f2fs are at risk, but only if:

CP (Checkpoint) disabling mode is enabled

- LFS or SSR allocation modes are active (these are advanced f2fs options, not typical for plain USB sticks)

Exploit & Impact

Is it easily exploitable? While CVE-2021-47004 doesn’t provide a classic remote root or privilege escalation, it is highly dangerous in environments where f2fs is used (think: Android phones with custom kernels, embedded devices, or servers using f2fs for SSDs). The problem can trigger unpredictable file system behavior, including:

Filesystem inconsistencies

An attacker who can trigger garbage collection or fill the filesystem in the right way could (in theory) make the system crash or cause silent data corruption.

Official Fix & References

The issue was fixed in mainline code.

- Fix commit: f2fs: fix to avoid touching checkpointed data in get_victim()
- CVE page: NVD: CVE-2021-47004
- f2fs docs: F2FS Arch Wiki

How Do I Protect Myself?

1. Patch your kernel!
Any device running an affected version of the Linux kernel (before the above patch) and using f2fs should be upgraded ASAP.

2. Avoid using advanced f2fs modes unless needed.
CP disable, LFS, SSR modes are advanced, and while they offer performance in some cases, they also increase risk.

3. Regularly back up important data.
Data corruption can be subtle. Always keep backups.

Summary

CVE-2021-47004 is a perfect example of how low-level filesystem logic errors can wreak havoc in storage systems. The fix was straightforward but required deep understanding of both the f2fs data layout and GC/allocation interactions. If your device or server uses f2fs and you tweaked its advanced modes, patch immediately to avoid this sneaky bug.


For more technical deep-dives on recent Linux vulnerabilities, follow our blog and stay up-to-date!


References
- Linux Kernel Fix Commit
- CVE-2021-47004 NVD Info
- f2fs Documentation (Arch Wiki)

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 01/08/2025 17:43:50 UTC