2.2 KiB
CVE-2024-56586
Description
In the Linux kernel, the following vulnerability has been resolved:f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.creating a large files during checkpoint disable until it runs out ofspace and then delete it, then remount to enable checkpoint again, andthen unmount the filesystem triggers the f2fs_bug_on as below:------------[ cut here ]------------kernel BUG at fs/f2fs/inode.c:896!CPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTIRIP: 0010:f2fs_evict_inode+0x58c/0x610Call Trace: __die_body+0x15/0x60 die+0x33/0x50 do_trap+0x10a/0x120 f2fs_evict_inode+0x58c/0x610 do_error_trap+0x60/0x80 f2fs_evict_inode+0x58c/0x610 exc_invalid_op+0x53/0x60 f2fs_evict_inode+0x58c/0x610 asm_exc_invalid_op+0x16/0x20 f2fs_evict_inode+0x58c/0x610 evict+0x101/0x260 dispose_list+0x30/0x50 evict_inodes+0x140/0x190 generic_shutdown_super+0x2f/0x150 kill_block_super+0x11/0x40 kill_f2fs_super+0x7d/0x140 deactivate_locked_super+0x2a/0x70 cleanup_mnt+0xb3/0x140 task_work_run+0x61/0x90The root cause is: creating large files during disable checkpointperiod results in not enough free segments, so when writing back rootinode will failed in f2fs_enable_checkpoint. When umount the filesystem after enabling checkpoint, the root inode is dirty inf2fs_evict_inode function, which triggers BUG_ON. The steps toreproduce are as follows:dd if=/dev/zero of=f2fs.img bs=1M count=55mount f2fs.img f2fs_dir -o checkpoint=disable:10%dd if=/dev/zero of=big bs=1M count=50syncrm bigmount -o remount,checkpoint=enable f2fs_dirumount f2fs_dirLet's redirty inode when there is not free segments during checkpointis disable.
POC
Reference
No PoCs from references.