Linux Kernel UBIFS Read Out-of-Bounds Vulnerability in Buffer Writing Function

A read out-of-bounds vulnerability has been identified in the Linux kernel's UBIFS (Unsorted Block Image File System) module. The issue arises in the function 'ubifs_wbuf_write_nolock()', which improperly handles buffer lengths that are not aligned to eight bytes. This misalignment can lead to the function accessing memory outside the intended bounds, potentially causing a slab-out-of-bounds error. The vulnerability can be triggered during normal write operations, where the unaligned length is not correctly managed before writing to the log-structured file system.

Impact

Exploitation of this vulnerability can lead to out-of-bounds memory access, which is typically associated with memory corruption issues. In this case, the Kernel Address Sanitizer (KASAN) detected the out-of-bounds read, indicating a potential memory corruption scenario that could be exploited.

Reproduction

The vulnerability can be reproduced by writing data to the UBIFS that is not properly aligned to an eight-byte boundary. This can be done by using the 'ubifs_jnl_write_inode' function to initiate a write operation with an unaligned length. The 'ubifs_wbuf_write_nolock()' function will then process the length incorrectly, leading to a read out-of-bounds condition.