CVE-2024-27070 - Use-After-Free in Linux Kernel f2fs_filemap_fault Explained (with Exploit Details)

A major bug was just fixed in the Linux kernel’s f2fs filesystem, tracked as CVE-2024-27070. This vulnerability could allow attackers to crash the system, leak memory content, or cause unexpected kernel behavior by triggering a use-after-free error. If you run Linux with the f2fs module (especially in environments using syzkaller or advanced fuzzing), you’ll want to know how this bug works, how it’s been fixed, and what the real risks are.

Below, I’ll explain the vulnerability in simple terms, show the problematic code, how it could be exploited, and link to all the original sources.

What Is f2fs and Why Does This Matter?

*f2fs* stands for "Flash-Friendly File System". It’s used on Linux, especially on devices relying on NAND flash memory, like SSDs, SD cards, and Android devices. Any bug in f2fs could be dangerous in production systems, phones, and cloud servers.

What Is CVE-2024-27070?

CVE-2024-27070 describes a use-after-free (UAF) vulnerability in the f2fs_filemap_fault() function. This function handles page faults in the f2fs filesystem when some process tries to access a memory-mapped file.

When handling faults, the function previously accessed a kernel structure pointer after it could have already been freed (use-after-free). Specifically, it used:

vmf->vma->vm_flags

after a call to filemap_fault() which might invalidate or free vmf->vma.

Security Impact

- Local attackers could trigger the bug by manipulating memory mappings in userspace and causing deliberate page faults (see the syzkaller crash below).

How Was It Discovered?

The bug was found by syzbot, Google’s automated kernel fuzzing system. It reported:

BUG: KASAN: slab-use-after-free in f2fs_filemap_fault+xd1/x2c fs/f2fs/file.c:49
Read of size 8 at addr ffff88807bb22680 by task syz-executor184/5058

Kernel version: 6.7.-syzkaller-09928-g052d534373b7

- Affected function: f2fs_filemap_fault in fs/f2fs/file.c

Look at the original code

int f2fs_filemap_fault(struct vm_fault *vmf)
{
    ...
    int err = filemap_fault(vmf);   // <-- This might free vmf->vma
    ...
    trace_f2fs_filemap_fault(vmf->vma->vm_flags); // <-- Dangerous!
    ...
}

Problem: After filemap_fault(vmf), the vmf->vma pointer may no longer be valid (it could even have been freed). Accessing its vm_flags is a classic use-after-free bug.

The patch stores vm_flags in a temporary, local variable *before* the potential free

int f2fs_filemap_fault(struct vm_fault *vmf)
{
    ...
    unsigned long vm_flags = vmf->vma->vm_flags;   // Save a copy
    int err = filemap_fault(vmf);
    ...
    trace_f2fs_filemap_fault(vm_flags);            // Use the safe value
    ...
}

See the commit.

Exploit Details (Proof-of-Concept)

A local exploit requires the ability to map/unmap memory on f2fs and trigger custom page faults, which *syzbot* does with ease. Here’s a simplified PoC in C:

// poc.c: Test for CVE-2024-27070 (SAFE sandbox recommended!)
#include <fcntl.h>
#include <sys/mman.h>
#include <unistd.h>

int main() {
    int fd = open("/mnt/f2fs/testfile", O_RDWR | O_CREAT, 0644);
    if (fd < ) return 1;

    // Map a page, then rapidly unmap, remap, and trigger faults
    char *map = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, fd, );
    if (map == MAP_FAILED) return 1;

    munmap(map, 4096);

    // Remap and trigger a page fault
    map = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, );
    if (map == MAP_FAILED) return 1;

    // Trigger a page fault (potentially during racing unmaps)
    char c = map[];

    // Clean up
    munmap(map, 4096);
    close(fd);
    return ;
}

This PoC is intentionally low-impact—it’s meant to demonstrate a fault, not a real-world exploit that would leak memory or escalate privilege. But attackers can build further on this technique, especially in environments where the attacker can fork multiple tasks and race the kernel (e.g., with fuzzers like syzkaller).

Timeline and References

- Original patch: kernel commit d7e98c378016
- Syzbot report: LKML thread
- Upstream kernel advisory: [N/A in mainstream yet, but see commit above]
- CVE record: CVE-2024-27070 (Mitre) (may update later)
- f2fs overview: Kernel documentation

Should I Worry? What Should I Do?

If you use f2fs in your Linux environment—especially with untrusted code or on shared/virtualized systems—update to a kernel version including the above fix ASAP. Otherwise, attackers or even buggy userspace programs can crash your kernel or worse.

If you compile your own kernel: Apply the patch above manually or pull the latest stable branch.

- Want to check if you’re vulnerable? See if this change is in your kernel’s fs/f2fs/file.c.

Conclusion

CVE-2024-27070 is a perfect example of how seemingly subtle memory access bugs in complex systems like Linux’s filesystems can lead to significant security risks. Always keep your kernel updated and follow advisories—bugs like these can be weaponized quickly in the wild.

References

- Linux Kernel Patch (d7e98c378016)
- Syzbot Crash Example
- f2fs Documentation
- CVE Detail (Tracking)

*This post is written exclusively for your request and is safe to share and bookmark for awareness!*

Timeline

Published on: 05/01/2024 13:15:51 UTC
Last modified on: 12/26/2024 20:25:12 UTC