CVE-2024-56548 - Resolved Linux Kernel Vulnerability: HFSPlus Device Logical Block Size Query

A recently resolved vulnerability in the Linux kernel, specifically within the HFSPlus (Hierarchical File System Plus) filesystem, could have potentially allowed for out-of-bounds data to be written. This post will detail the vulnerability, provide code snippets to showcase the fix, and include links to the original references.

Vulnerability Details

In the Linux kernel, HFSPlus is the file system used by macOS, and a vulnerability was found in its handling of device logical block sizes. Certain devices, like a loop device, may change their block sizes utilizing the ioctl LOOP_SET_BLOCK_SIZE operation. The HFSPlus filesystem, in turn, allocates blocks based on the size it queries from the device. Should the block size change during the file system mount process, it could result in the potential for out-of-bounds data to be written.

The vulnerability was resolved by updating the code to ensure that the block size is no longer queried multiple times.

The Fix

Using a new variable called "min_io_size" initialized to "sb_min_blocksize", the updated code allows for proper block size allocation. This change ensures that block size is determined with the maximum value between HFSPLUS_SECTOR_SIZE and the first seen logical block size and prevents querying it multiple times.

The fix was tested by mounting an HFSPlus filesystem with loop block sizes 512, 1024, and 4096.

KASAN Report

A KASAN (Kernel Address Sanitizer) report was produced before the fix to showcase the slab-use-after-free issue. The report indicates that the bug was related to a read of size 2.

Further details and the full KASAN report can be found in the original reference.

Original References

1. Linux Kernel Mailing List - the email thread discussing the issue and the fix.
2. KASAN Report - the full report showcasing the slab-use-after-free issue.

Conclusion

The CVE-2024-56548 vulnerability in the Linux kernel's handling of HFSPlus filesystem device logical block sizes has been successfully resolved. Previously, this bug could have potentially allowed for out-of-bounds data to be written, but the code has now been updated to ensure proper block size allocation and prevent querying the block size multiple times. The fix was thoroughly tested, and the related KASAN report supports the resolution of the issue.

Timeline

Published on: 12/27/2024 14:15:34 UTC
Last modified on: 03/06/2025 12:42:52 UTC