Linux Kernel JFS Double-Free Vulnerability in dbUnmount Function

A double-free vulnerability has been identified in the Linux kernel's JFS (Journaled File System) implementation. This issue arises in the dbUnmount() function, which is responsible for unmounting a JFS file system. The vulnerability occurs after a failed jfs_remount() operation, leading to a double-free condition when the file system is unmounted. The problem was reported by Syzkaller, a fuzzing tool that discovered the issue while testing the JFS file system.

Impact

Exploitation of this vulnerability leads to a double-free condition, which can cause memory corruption. In the context of the Linux kernel, such memory corruption vulnerabilities can often be exploited to execute arbitrary code or escalate privileges.

Reproduction

The vulnerability can be reproduced by mounting a JFS file system and then intentionally causing a failure during the remounting process. This can be done using the 'faultinject' feature of Syzkaller, which simulates errors during system calls. After the failed remount, the dbUnmount() function is called, which will then free the same memory address twice, triggering the double-free vulnerability.

Remediation

The vulnerability has been fixed in the upstream Linux kernel. Users should upgrade to the latest version of the kernel where this issue has been addressed.