Linux Kernel UBIFS Private Page Handling Vulnerability Assertion Failure

A vulnerability in the Linux kernel's UBIFS (Unsorted Block Image File System) module has been identified, related to the handling of page states during write operations. In UBIFS, pages can be in one of two states: dirty and private, or not dirty and not private. The issue arises when a page is private but not dirty, which should not occur under normal circumstances. This vulnerability can be reproduced by a specific sequence of operations that involve writing to a page, marking it as private, and then clearing its dirty state before it is properly released. This sequence can lead to an assertion failure in the UBIFS release page function, causing the file system to switch to a read-only mode due to the error.

Impact

Exploitation of this vulnerability causes an assertion failure, which disrupts normal file system operations and can lead to the file system being mounted as read-only, preventing further write operations.

Reproduction

The vulnerability can be reproduced by first writing data to a UBIFS page, which attaches the page as private. After marking the page as dirty, the page is unlocked and the write operation is completed. Subsequently, the page's dirty state is cleared, but it remains private. This private, not dirty state can then be invalidated by a 'fadvise' system call, before the page is properly truncated, leading to the assertion failure when the page is released.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.