CVE-2023-52604 - Linux Kernel JFS Array Index Out-of-Bounds in dbAdjTree Explained

In late 2023, a vulnerability in the Linux kernel’s JFS (Journaled File System) component was discovered. This bug—CVE-2023-52604—stemmed from an array index out-of-bounds issue in the function dbAdjTree within JFS's disk map code. The problem was revealed by Google's Syzkaller, a kernel fuzzing tool, and could lead to a kernel panic or even possible exploitation under certain conditions.

In this article, we’ll break down what happened, show you where the vulnerable code was, explain the cause, and walk through how it was fixed—with code and links for further reading.

What is JFS and the Context?

JFS is a journaling filesystem used in Linux, originally developed by IBM. It manages files, directories, and especially transactional operations allowing for robust data recovery and consistency.

The bug was reported against kernel version 6.6.-rc3-syzkaller, and it affected the way JFS handles the internal data structures used to keep track of free/used disk space.

Syzkaller reported this issue

UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6
index 196694 is out of range for type 's8[1365]'

This means that code in jfs_dmap.c tried to access an element in an array (of 1365 elements) at position 196694 — way beyond the array’s end. This is a classic out-of-bounds write, a severe type of bug.

Here’s an important part of the kernel log

dbAdjTree+x474/x4f fs/jfs/jfs_dmap.c:2867

This tells us the problem function is dbAdjTree.

Understanding the Core Issue

The root cause was that an internal variable (lp) could end up being set to a value greater than CTLTREESIZE (the size of the key array), which allowed it to index past the array’s end.

Here’s a simplified, representative snippet

#define CTLTREESIZE 1365

void dbAdjTree(struct dmap * dp, s8 * stree, int lp, int val) {
    // ... other code ...
    stree[lp] += val;  // Vulnerable line if lp >= CTLTREESIZE
    // ... other code ...
}

If lp is ever >= 1365, an out-of-bounds access happens.

Crash Impact

When triggered, the bug leads to a kernel panic and full system crash—especially serious if the machine is handling critical workloads or is exposed to untrusted userspace code.

For full details, see syzkaller's report (example link).

How Could This Be Exploited?

While the report did not prove code execution, out-of-bounds writes can often be turned into information disclosure, privilege escalation, or code execution bugs—especially in filesystem or networking code accessible by regular users.

A local attacker creating/extending/corrupting a JFS filesystem could theoretically trigger this via weird filesystem layouts or by mounting/unmounting malformed images.

Prepare a specially crafted JFS filesystem image.

2. Fill structures in the image so that, during a filesystem operation, lp will be set larger than CTLTREESIZE.

Wait for (or trigger) a filesystem operation that hits dbAdjTree().

5. The out-of-bounds access may overwrite adjacent kernel memory, leading to a crash or—if skillfully exploited—arbitrary code execution.

*Note: No public full code exploit is known for this bug, but it’s still a kernel crasher and possibly more with further research.*

The Patch: Fix & Mitigation

Since the vulnerable function returned void, a thorough fix would require significant rewrite and error management. As a stopgap, the maintainers modified the code to check the value and issue a warning if triggered, without crashing.

Fixed Code

void dbAdjTree(struct dmap * dp, s8 * stree, int lp, int val) {
    if (WARN_ON_ONCE(lp >= CTLTREESIZE))
        return;
    stree[lp] += val;
}

By adding WARN_ON_ONCE, the kernel will print a warning once if the condition is met and abort that function.

References

- Upstream commit on kernel.org
- JFS bug discussion thread
- CVE record at NVD

Block untrusted users from mounting filesystems, especially JFS.

- Disable JFS support in the kernel if you don’t use it (common in minimal/server setups).

Summary

CVE-2023-52604 is a serious oversight in array bounds checking within the JFS disk mapping code in the Linux kernel. While the initial fix was minimal, it prevents the crash and disables exploitation routes for now. Anyone running Linux with JFS enabled should patch promptly—especially if the system is multi-user or allows filesystem mounts.

More Reading

- syzkaller automated kernel testing
- JFS Linux kernel documentation
- Kernel commit log for the fix

Timeline

Published on: 03/06/2024 07:15:11 UTC
Last modified on: 12/12/2024 17:49:20 UTC