CVE-2024-26956 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
Patch series "nilfs2: fix kernel bug at submit_bh_wbc()".
This resolves a kernel BUG reported by syzbot. Since there are two flaws involved, I've made each one a separate patch.
The first patch alone resolves the syzbot-reported bug, but I think both fixes should be sent to stable, so I've tagged them as such.
This patch (of 2):
Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data to a nilfs2 file system whose metadata is corrupted.
There are two flaws involved in this issue.
The first flaw is that when nilfs_get_block() locates a data block using btree or direct mapping, if the disk address translation routine nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata corruption, it can be passed back to nilfs_get_block(). This causes nilfs_get_block() to misidentify an existing block as non-existent, causing both data block lookup and insertion to fail inconsistently.
The second flaw is that nilfs_get_block() returns a successful status in this inconsistent state. This causes the caller __block_write_begin_int() or others to request a read even though the buffer is not mapped, resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc() failing.
This fixes the first issue by changing the return value to code -EINVAL when a conversion using DAT fails with code -ENOENT, avoiding the conflicting condition that leads to the kernel bug described above. Here, code -EINVAL indicates that metadata corruption was detected during the block lookup, which will be properly handled as a file system error and converted to -EIO when passing through the nilfs2 bmap layer.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability identified as CVE-2024-26956 affects the Linux kernel's nilfs2 file system implementation and represents a critical flaw in how the system handles data block mapping when metadata corruption occurs. This issue manifests through a kernel BUG reported by syzbot, a sophisticated fuzzer designed to identify kernel-level vulnerabilities. The problem specifically emerges during write operations to nilfs2 file systems where metadata corruption has occurred, particularly affecting the DAT (Data Address Translation) structures that maintain mapping information for file data blocks. The vulnerability operates at the intersection of file system integrity and kernel memory management, creating a scenario where corrupted metadata can cause inconsistent behavior in block lookup operations.
The technical flaw involves two interconnected issues that compound the vulnerability's impact. The first flaw occurs within the nilfs_get_block() function where the disk address translation routine nilfs_dat_translate() fails with internal error code -ENOENT due to DAT metadata corruption, yet this failure condition is improperly handled and passed back to the block lookup mechanism. This causes nilfs_get_block() to incorrectly identify existing blocks as non-existent, leading to inconsistent behavior in both data block lookup and insertion operations. The second flaw is that nilfs_get_block() returns a successful status code even when operating in this corrupted state, which causes downstream functions like __block_write_begin_int() to make inappropriate read requests for unmapped buffers. This inconsistency triggers a critical BUG_ON check in submit_bh_wbc() function that validates the BH_Mapped flag, resulting in kernel panic and system instability.
The operational impact of this vulnerability extends beyond simple file system corruption, creating potential denial of service conditions and data integrity risks for systems utilizing nilfs2 file systems. When the kernel encounters corrupted DAT metadata during write operations, the improper error handling can lead to kernel crashes, system hangs, or unpredictable behavior that may persist until system reboot. This vulnerability affects systems that rely on nilfs2's snapshot and continuous snapshot capabilities, which are commonly used in enterprise environments for backup and recovery operations. The flaw demonstrates a weakness in the kernel's error handling architecture where metadata corruption detection fails to propagate properly through the file system layer, creating a cascade of issues that can compromise system stability. According to CWE classification, this vulnerability relates to CWE-755: Improper Handling of Exceptional Conditions and CWE-20: Improper Input Validation, as it involves inadequate error handling for corrupted metadata and failure to properly validate data mapping operations.
The patch addressing this vulnerability implements a targeted fix that changes the return value from -ENOENT to -EINVAL when DAT translation fails due to metadata corruption. This modification ensures that corruption detection is properly communicated through the system, allowing the nilfs2 bmap layer to correctly convert the error to -EIO, which represents a proper file system error condition. The fix addresses both components of the vulnerability by preventing the propagation of corrupted metadata states and ensuring that error conditions are properly handled throughout the kernel's block mapping subsystem. This approach aligns with established security practices for kernel error handling and follows the principle of least privilege by ensuring that corrupted metadata conditions are not silently ignored or improperly converted. The mitigation strategy also includes proper error propagation through the kernel's VFS (Virtual File System) layer, preventing the inconsistent state that led to the kernel BUG. The vulnerability's impact is further mitigated by the fact that it only affects systems actively writing to corrupted nilfs2 file systems, making it less likely to be exploited in normal operation but still requiring prompt patching for systems that may experience metadata corruption during normal operations.
This vulnerability demonstrates the importance of robust error handling in kernel file systems, particularly when dealing with metadata corruption scenarios. The issue highlights how seemingly minor inconsistencies in error propagation can lead to catastrophic system failures, emphasizing the need for comprehensive testing of error conditions in kernel code. The fix exemplifies proper defensive programming practices by ensuring that error conditions are consistently handled and propagated through the system architecture. Systems administrators should prioritize patching this vulnerability, especially on servers that utilize nilfs2 file systems or those that might experience unexpected metadata corruption. The vulnerability's resolution through kernel patches underscores the ongoing need for security-focused kernel development practices and the importance of automated testing tools like syzbot in identifying critical kernel bugs before they can be exploited in production environments.