CVE-2024-53220: F2FS Linux Kernel Vulnerability Resolved in __get_secs_required()

In the world of Linux, one of the most reliable and widely used open-source operating systems, the developers are always at the forefront of identifying and resolving vulnerabilities to ensure the security and stability of the operating system. In this post, we will discuss a recently resolved Linux kernel vulnerability: f2fs: fix to account dirty data in __get_secs_required().

The vulnerability is related to the Flash-Friendly File System (F2FS), a file system specifically designed for use in NAND flash memory-based storage devices. The issue triggered a system panic when running the testcase provided in [1].

A code snippet from the panic event reveals the following

kernel BUG at fs/f2fs/segment.c:2752!
RIP: 001:new_curseg+xc81/x211
Call Trace:
 f2fs_allocate_data_block+x1c91/x454
 do_write_page+x163/xdf
 f2fs_outplace_write_data+x1aa/x340
 f2fs_do_write_data_page+x797/x228
 f2fs_write_single_data_page+x16cd/x219
 f2fs_write_cache_pages+x994/x1c80
 f2fs_write_data_pages+x9cc/xea
 do_writepages+x194/x7a
 filemap_fdatawrite_wbc+x12b/x1a
 __filemap_fdatawrite_range+xbb/xf
 file_write_and_wait_range+xa1/x110
 f2fs_do_sync_file+x26f/x1c50
 f2fs_sync_file+x12b/x1d
 vfs_fsync_range+xfa/x230
 do_fsync+x3d/x80
 __x64_sys_fsync+x37/x50
 x64_sys_call+x1e88/x20d
 do_syscall_64+x4b/x110
 entry_SYSCALL_64_after_hwframe+x76/x7e

The root cause of the issue is that when both checkpoint_disabling and lfs_mode are on, it triggers OPU (Out-Of-Place Update) for all overwritten data. This may consume more free segments than expected, resulting in some miscalculations. F2FS must account for this data correctly to calculate the consumed free segments accurately and return ENOSPC (Error No Space Left on Device) earlier to avoid running out of free segments during block allocation.

The resolution of the vulnerability demonstrates the dedication and vigilance of Linux kernel developers in ensuring the security and stability of the operating system.

A link to the original reference of the testcase triggering system panic can be found below

[1] https://lore.kernel.org/fstests/20241015025106.3203676-1-chao@kernel.org/

Timeline

Published on: 12/27/2024 14:15:30 UTC
Last modified on: 01/20/2025 06:21:30 UTC