CVE-2024-57850 - Exploiting rtime Decompression Memory Corruption in Linux JFFS2

In June 2024, a critical vulnerability was patched in the Linux kernel’s JFFS2 file system implementation. Identified as CVE-2024-57850, this bug allows memory corruption through a flaw in the rtime decompression routine. In this post, you’ll learn what the problem was, how it could be abused, see the original code, and understand the patch that fixed it. Plain and simple.

What is JFFS2?

JFFS2 ("Journaling Flash File System version 2") is a filesystem designed for use with flash memory devices such as those found in embedded devices, routers, and IoT hardware.

The Vulnerability in a Nutshell

The issue specifically affects the rtime decompression function. This routine is supposed to decompress data blocks stored on flash. However, it didn’t always check if it was writing outside the bounds of the output buffer. If an attacker could control the input data—for example, via a crafted filesystem image—they could make the system overwrite memory it shouldn’t.

Root Cause: Lack of boundary checking while decompressing corrupted or malicious data.

Let’s look at a simplified (annotated) snippet of the old, vulnerable decompression logic

// rtime decompression loop (simplified)
while (in < in_end) {
    /* decompress bytes */
    *out++ = ...;
    // <---- No bounds check! Out can go past the end
}

There were not enough checks to ensure that out never went outside the valid output buffer.

Denial of Service: Just making a system reboot constantly.

But practical exploitation depends on whether an attacker can get you to mount a specially crafted JFFS2 filesystem image.

Proof-of-Concept: Triggering the Bug

Here's a basic approach to trigger this using a malformed JFFS2 image.

A way to corrupt the image to produce 'bad' compressed blocks.

mkfs.jffs2 -d test_dir -o test.jffs2
# Use a hex editor to break a compressed block in test.jffs2

2. Mount the image on a vulnerable kernel

modprobe mtdram total_size=4096 erase_size=128
modprobe mtdblock
dd if=test.jffs2 of=/dev/mtdblock
mount -t jffs2 /dev/mtdblock /mnt

If the kernel is unpatched, it may crash, log errors, or show memory corruption.

The patch adds a check *before* writing to the output buffer

if (out >= out_end) {
    pr_warn("JFFS2: rtime decompression overrun!\n");
    break;
}
*out++ = ...;

Reference Patch:
- kernel.org commit
- LKML reference

Links & References

- Official Linux Kernel Patch
- CVE-2024-57850 @ NVD *(may update)*
- Explanation on lore.kernel.org

Closing Thoughts

CVE-2024-57850 underscores the importance of careful bounds checking in filesystem and kernel code. If you run Linux on embedded hardware, update ASAP—memory corruption in the kernel is nothing to ignore.

Timeline

Published on: 01/11/2025 15:15:07 UTC
Last modified on: 03/03/2025 17:42:59 UTC