CVE-2023-4385 - Crashing Linux with a NULL Pointer Bug in JFS (`dbFree`)—Explained Simply

In 2023, cybersecurity experts found a serious bug in the Linux kernel's JFS file system. This vulnerability, tagged CVE-2023-4385, can let a local user crash the system by abusing a NULL pointer error. In this post, we'll break down what happened, why it matters, and how an attacker might exploit it—using clear language and code examples.

What's JFS and Why Should We Care?

JFS (Journaling File System) is one of several file systems found in Linux. It's not as common as ext4 anymore, but it's still supported. If you're running Linux systems with JFS, vulnerabilities like this could leave you open to system crashes.

There was a missing check for a NULL value that gets passed in.

- If a NULL value goes in and the function doesn't check, it can "dereference" it by accident, leading to a system crash (kernel panic).

Here’s a simplified version of the vulnerable code

int dbFree(struct inode *inode, s64 blkno, s64 nblocks) {
    struct bmap *bmp = JFS_IP(inode)->i_bmap;
    ...
    struct dmap *dp = bmp->db_map; // <-- This is the potentially NULL pointer

    // BUG: No NULL pointer check before use!
    dp->... // access dp can crash if dp is NULL
    ...
}

If bmp->db_map is NULL, accessing dp->... will make the kernel crash.

A missing sanity check like this could have prevented it

if (!dp) {
    printk(KERN_ERR "JFS: NULL db_map pointer in dbFree\n");
    return -EINVAL;
}

Exploit Details: How Could Someone Trigger This?

This flaw is local, meaning you need shell access to the Linux box (even if non-root).

Craft a Bad Inode

By corrupting or manipulating on-disk JFS structures (like the superblock or inodes), or triggering unexpected behavior from user space (possibly by using special filesystem operation or a malicious binary), the kernel may end up calling dbFree with a NULL db_map.

Trigger dbFree

Any operation that deletes files or frees space can trigger dbFree. For example, deleting files or running defragmentation or repair tools.

Result

The kernel dereferences the NULL pointer, causing an oops or full-blown kernel panic—leading to system denial of service.

While a working PoC is hard to share safely, here's a high-level sketch

# Steps an attacker might take (for testing only):

# 1. Create a JFS file system
mkfs.jfs /dev/loop

# 2. Mount it
mount -t jfs /dev/loop /mnt/test

# 3. Manipulate JFS structures
# -- [using a custom binary, or hex-editing the partition, to break i_bmap]

# 4. Delete a file or free space to trigger dbFree
rm /mnt/test/badfile

# System may crash if dbFree is called with a NULL pointer

Note: It's dangerous to run code like this except in a secure, isolated test environment.

Patches and Fixes

The Linux kernel team patched this bug by adding a simple NULL check before using the pointer. See the official commit:
- kernel.org commit

References

- Official Red Hat CVE page: CVE-2023-4385
- NVD entry on NIST
- Linux upstream patch commit

Quick Takeaway

- If you're running Linux systems (especially servers) with JFS, this bug could let regular users crash your box.

Even simple bugs like missing NULL checks can lead to serious vulnerabilities!

Stay safe. Patch early, patch often. Any questions about kernel security? Let us know in the comments.

Timeline

Published on: 08/16/2023 17:15:00 UTC
Last modified on: 08/22/2023 22:45:00 UTC