CVE-2023-52770 in Linuxinfo

Summary

by MITRE • 05/21/2024

In the Linux kernel, the following vulnerability has been resolved:

f2fs: split initial and dynamic conditions for extent_cache

Let's allocate the extent_cache tree without dynamic conditions to avoid a missing condition causing a panic as below.

# create a file w/ a compressed flag # disable the compression # panic while updating extent_cache

F2FS-fs (dm-64): Swapfile: last extent is not aligned to section F2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N) Adding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]
BUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]
BUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]
BUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 Write of size 4 at addr 0000000000000030 by task syz-executor154/3327

CPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1 Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023 Call Trace: __dump_stack out/common/lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118 __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415 kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428 kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186 __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37 instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]
atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]
queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]
__raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]
_raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155 f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172 f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline]
f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764 vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310 ksys_fallocate out/common/fs/open.c:333 [inline]
__do_sys_fallocate out/common/fs/open.c:341 [inline]
__se_sys_fallocate out/common/fs/open.c:339 [inline]
__x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339 do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/07/2025

The vulnerability CVE-2023-52770 affects the F2FS (Flash-Friendly File System) implementation within the Linux kernel, specifically concerning how the extent_cache tree is managed during file operations. This issue manifests when a file is created with a compressed flag, compression is subsequently disabled, and then an attempt is made to update the extent_cache structure. The flaw arises from the improper handling of initial versus dynamic conditions during the allocation of the extent_cache tree, leading to a potential null pointer dereference that results in system panic. The root cause lies in the kernel's inability to correctly manage memory allocation under specific file system states, particularly when transitioning between compressed and uncompressed file modes.

The technical exploitation of this vulnerability occurs through a sequence of file system operations that trigger a race condition or improper state management within the extent_cache subsystem. When a file is initially created with compression enabled, the kernel allocates certain data structures to track file extents. However, when compression is later disabled, the system attempts to reallocate or update these structures without proper consideration of the initial allocation state. The KASAN (Kernel Address Sanitizer) output indicates a null pointer dereference at address 0x30 during a write operation, suggesting that the extent_cache tree structure is not properly initialized or maintained during the transition phase. The stack trace reveals the execution path leading to the crash, starting from the fallocate system call through the file.c and extent_cache.c modules, ultimately failing in the __drop_extent_tree function where the null pointer dereference occurs.

This vulnerability impacts the stability and reliability of Linux systems using F2FS file systems, particularly those handling large files or swap operations. The panic condition can lead to complete system crashes, requiring manual reboot and potentially resulting in data loss if not properly handled. The issue is particularly concerning in virtualized environments or systems where automated processes frequently manipulate file attributes and allocation patterns. From a cybersecurity perspective, this vulnerability could be exploited by malicious actors to cause denial-of-service conditions, potentially leading to system instability. The vulnerability aligns with CWE-476, which addresses null pointer dereference issues, and could be leveraged in attacks following the ATT&CK technique T1499.004, which involves network disruption through system resource exhaustion or manipulation.

The recommended mitigation strategy involves applying the kernel patch that separates the initial allocation of the extent_cache tree from dynamic allocation conditions, ensuring proper initialization regardless of file state transitions. System administrators should prioritize updating their Linux kernels to versions containing the fix, particularly in production environments where F2FS is actively used. Monitoring systems should be enhanced to detect abnormal file system behavior that might indicate exploitation attempts. Additionally, implementing proper input validation and state management checks within file system operations can help prevent similar issues in other kernel components. The fix essentially ensures that the extent_cache tree is allocated with appropriate initial conditions that do not depend on dynamic factors, thereby preventing the null pointer dereference that leads to system panic. Organizations should also conduct regular security assessments of their file system configurations and maintain up-to-date kernel security patches to prevent exploitation of similar vulnerabilities.

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!