Linux Kernel Nilfs2 Shift-Out-Of-Bounds Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's Nilfs2 file system can cause a shift-out-of-bounds error, leading to a kernel panic, if the superblock's log block size exponent is corrupted and excessively large. The issue arises in the 'init_nilfs()' and 'load_nilfs()' functions, where the invalid block size exponent triggers a warning that the shift is too large for a 32-bit integer. This vulnerability has been addressed by implementing a new helper function that includes a sanity check for the block size.

Impact

Exploitation of this vulnerability causes a shift-out-of-bounds warning and a subsequent kernel panic, if the 'panic_on_warn' option is enabled.

Reproduction

To reproduce this vulnerability, corrupt the 's_log_block_size' field of the Nilfs2 superblock data with an excessively large exponent. When 'init_nilfs()' or 'load_nilfs()' is called, the corruption will trigger a shift-out-of-bounds warning and, if 'panic_on_warn' is set, a kernel panic will occur.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the latest stable kernel can be found on the official Linux kernel website.