A recently discovered vulnerability in the Linux kernel, CVE-2023-52444, pertains to the f2fs file system. The vulnerability may cause directory entry corruption in certain situations. This vulnerability has now been resolved with a patch released by the kernel maintainers.

Details of the Vulnerability

In the Linux kernel, the f2fs_rename() function handles the renaming of files and directories. A bug in this function is the root cause of the directory entry corruption vulnerability. Specifically, the function fails to correctly update the ".." link when performing a cross-directory rename operation with a whiteout flag [1].

This issue was reported by Al Viro in the Linux kernel mailing list [1]. The problem description is as follows:

f2fs_rename()
...

f2fs_put_page(old_dir_page, );

The code snippet above shows the f2fs_rename() function. The issue occurs because f2fs_set_link() is not called to update the ".." link to the new directory in certain cases. This can lead to dirent corruption.

The vulnerability can be triggered by running the following test case

1. mkdir -p dir/foo
2. renameat2 -w dir/foo bar

After executing these commands, the filesystem may report a bad inode number error and fail an fsck check due to dirent corruption [1]:

[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[x4] for '..', parent parent ino is [x3]
[FSCK] other corrupted bugs [Fail]

Exploit Details

At the time of writing, no known exploits have been developed for this vulnerability. It is important to note, however, that an attacker with local access to the system could potentially exploit this weakness to cause filesystem corruption, leading to a denial of service or potentially gaining unauthorized access to data.

Resolution

The Linux kernel maintainers have released a patch to resolve this vulnerability. The patch addresses the issue by properly updating the ".." link with the correct inode number during cross-directory rename operations, avoiding dirent corruption. The patch can be found in the kernel source code or through your distribution's package manager.

References

1. https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/

Conclusion

CVE-2023-52444 is a vulnerability in the Linux kernel that affects the f2fs file system. The vulnerability, caused by improper handling of certain cross-directory rename operations, can lead to directory entry corruption. To mitigate the vulnerability, it is important to apply the available patch from the Linux kernel maintainers.

Timeline

Published on: 02/22/2024 17:15:08 UTC
Last modified on: 03/14/2024 20:13:28 UTC