CVE-2024-44942 in Linuxinfo

Summary

by MITRE • 08/26/2024

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

syzbot reports a f2fs bug as below:

------------[ cut here ]------------
kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]
__f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]
f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline]
wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback.

Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/29/2025

The vulnerability described in CVE-2024-44942 represents a critical flaw within the Linux kernel's F2FS (Flash-Friendly File System) implementation that could lead to system instability and potential denial of service conditions. This issue manifests during garbage collection operations when the file system attempts to migrate data blocks from inline data inodes. The vulnerability stems from insufficient validation of the F2FS_INLINE_DATA flag during background garbage collection processes, creating a scenario where malformed or fuzzed inline data inodes could contain valid block addresses in their direct nodes. When the garbage collection mechanism attempts to migrate these blocks, it encounters a kernel BUG condition that results in immediate system termination.

The technical root cause involves a race condition and improper state validation within the F2FS file system's garbage collection subsystem. During normal operation, inline data inodes are designed to store small amounts of data directly within the inode structure itself, avoiding the need for separate block allocation. However, when these inodes are subjected to fuzzing or corruption, they can contain valid block addresses that should not be migrated during garbage collection. The kernel's f2fs_write_inline_data function, which handles writing inline data, contains a critical check at line 258 in fs/f2fs/inline.c that triggers a kernel BUG when encountering such malformed conditions. This failure occurs because the garbage collection process does not properly validate whether an inode is actually in the inline data state before attempting to migrate its blocks, leading to a direct kernel panic.

This vulnerability directly impacts system stability and availability by creating a condition where legitimate file system operations can trigger kernel panics during background garbage collection. The operational impact extends beyond simple system crashes to potentially compromise data integrity, as the garbage collection process is a critical component of F2FS's performance optimization. When triggered, this condition can cause the kernel to immediately terminate with a BUG_ON assertion failure, effectively halting all system operations until manual intervention or system reboot occurs. The vulnerability is particularly concerning because it can be triggered through background processes without requiring direct user interaction, making it a latent threat that could affect systems running F2FS without user awareness. This aligns with CWE-682, which addresses incorrect use of mathematical operations, and maps to ATT&CK technique T1490, specifically the exploitation of system resource exhaustion through kernel-level vulnerabilities.

The fix implemented for CVE-2024-44942 addresses the core issue by adding proper sanity checks on the F2FS_INLINE_DATA flag during garbage collection operations. This mitigation ensures that inline data inodes are properly validated before any block migration attempts occur, preventing the kernel from attempting to migrate data blocks from inodes that should remain in their inline storage format. The solution involves modifying the garbage collection logic to explicitly verify that an inode is not marked with the F2FS_INLINE_DATA flag before proceeding with block migration, thereby preventing the kernel BUG condition from being triggered. This approach follows established security practices for preventing improper state transitions in kernel-level file systems and aligns with industry standards for robust kernel memory management. The fix represents a defensive programming approach that prevents the kernel from entering an undefined state when processing corrupted or malformed file system metadata, effectively eliminating the path to the kernel panic while maintaining normal file system functionality for legitimate operations.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/26/2024

Moderation

accepted

CPE

ready

EPSS

0.00223

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!