Linux Kernel JFS Double-Free Vulnerability in diUnmount Function

A double-free vulnerability has been identified in the Linux kernel's JFS (Journaled File System) implementation. This issue arises in the diUnmount function, where the i_imap field of the JFS_IP(ipimap) structure is not properly set to NULL after being freed. As a result, if jfs_remount() frees the i_imap but then fails during diMount(), the i_imap will be freed again, leading to a double-free condition. This vulnerability was discovered by syzbot, which reported the double-free issue as a KASAN (Kernel Address Sanitizer) error.

Impact

Exploitation of this vulnerability causes a double-free condition, which can lead to memory corruption. Such corruption can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by unmounting a JFS file system using the diUnmount function. The process involves freeing the i_imap field without nullifying it, creating a scenario where the same memory address can be freed again, thus causing a double-free condition. This specific sequence can be triggered by a failure in the jfs_remount() function, which attempts to free the i_imap but does not complete the process, leaving the field in a state that can be improperly freed again.

Remediation

The vulnerability has been addressed by modifying the diUnmount function to set the i_imap field to NULL after it has been freed. Users should ensure they are running a version of the Linux kernel that includes this patch.