CVE-2024-26981 - Out-of-Bounds Read in nilfs2's Directory Handling (Linux Kernel)

The Linux kernel is the foundational software powering millions of servers, desktops, and devices around the world. Among its many filesystem drivers is nilfs2, a profound log-structured file system. Recently, a vulnerability was discovered and fixed in the nilfs2 code: CVE-2024-26981. This post will take you through the root cause, technical details, example code, and how this bug could be (and was) exploited, all in simple, approachable language. Read on to better understand this kernel bug and why resolving such issues matters.

The Bug At a Glance

Vulnerability: Out-of-Bounds (OOB) Read
Location: fs/nilfs2/dir.c, Linux Kernel
Impact: Potentially leads to memory corruption or information disclosure
Affected Function: nilfs_set_de_type()

Patch Reference

* Kernel.org commit fixing the bug
* CVE Report: CVE-2024-26981
* nilfs-tools repo

Breaking Down the Vulnerable Code

In nilfs2, directory entries have a file_type attribute, which is set based on the inode's mode. This requires translating the file's mode to a directory entry type. Here's the relevant code from fs/nilfs2/dir.c:

static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode)
{
    umode_t mode = inode->i_mode;

    de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // OOB risk!
}

The function uses an array called nilfs_type_by_mode

static const unsigned char nilfs_type_by_mode[S_IFMT >> S_SHIFT] = {
    DT_UNKNOWN, /*  */
    DT_FIFO,    /* 1 */
    DT_CHR,     /* 2 */
    DT_UNKNOWN, /* 3 */
    DT_DIR,     /* 4 */
    DT_UNKNOWN, /* 5 */
    DT_BLK,     /* 6 */
    DT_UNKNOWN, /* 7 */
    DT_REG,     /* 8 */
    DT_UNKNOWN, /* 9 */
    DT_LNK,     /* 10 */
    DT_UNKNOWN, /* 11 */
    DT_SOCK,    /* 12 */
    DT_UNKNOWN, /* 13 */
    DT_WHT      /* 14 */
    // Missing one element! Oops!
};

To get the type index: (mode & S_IFMT) >> S_SHIFT.

When mode & S_IFMT == S_IFMT (e.g., for the undefined xF000 file type), we get an index that's one more than the array's length!
Thus, the code reads outside the bounds of nilfs_type_by_mode, leading to undefined behavior.

Why Does This Matter? (Exploitation Impact)

When kernel code reads or writes outside the bounds of arrays, all bets are off—these classic bugs can let local users:

Leak kernel memory (Information Disclosure)

- Sometimes, even escalate privileges (Remote Code Execution), depending on memory layout and exploit sophistication.

In this case, because directory entries may end up with an invalid file_type value, information in adjacent memory could be improperly read or written. On hardened or unpatched systems, this theoretically could be weaponized to read sensitive data from the kernel or crash the system.

Demonstrating the Vulnerability

Suppose a local user manages to create a file on a nilfs2 filesystem with a purposely hacked i_mode field:

struct inode fake_inode;
struct nilfs_dir_entry fake_de;

// Intentionally set mode to S_IFMT, which is undefined as a file type
fake_inode.i_mode = S_IFMT;

// This will trigger the OOB read
nilfs_set_de_type(&fake_de, &fake_inode);

// fake_de.file_type is now an out-of-bounds value (garbage),
// or worse, the value in the next memory location.

Note: Normally, it's hard to directly set i_mode in user space (the kernel sets it). However, a corrupted filesystem image, or custom nilfs2 tools, might create such a situation—making the bug potentially triggerable by unprivileged users, especially in fuzzing or attack scenarios.

The patch increased the array size by one, ensuring that all possible indices are safe

// Before:
static const unsigned char nilfs_type_by_mode[S_IFMT >> S_SHIFT] = { ... };
// After:
static const unsigned char nilfs_type_by_mode[(S_IFMT >> S_SHIFT) + 1] = { ... };

The patch effectively closes the hole by including the maximum possible index.

How Can You Protect Yourself?

- Update your kernel! Make sure you are running a Linux kernel version with the fix for CVE-2024-26981.

Limit the use of experimental or niche filesystems on multi-user systems.

Learn More

- Linux Kernel Commits (nilfs2 dir entry fix)
- Nilfs2 Official Site
- CVE-2024-26981 on MITRE
- Linux Filesystem Internals

Final Thoughts

Even rare filesystems like nilfs2 can harbor subtle, critical bugs that attackers may leverage. CVE-2024-26981 is a reminder of the importance of careful index bounds checking in core OS code. Always apply kernel updates and remain aware of security advisories for all components of your system—not just the most common ones.

Stay safe and keep learning!

*If you found this post helpful, please consider sharing or discussing it on your favorite tech forum!*

Timeline

Published on: 05/01/2024 06:15:15 UTC
Last modified on: 12/23/2024 20:42:57 UTC