Linux Kernel Data-Race and Null Pointer Dereference Vulnerability in JBD2 Journal Metadata Handling

A data-race and null pointer dereference vulnerability has been identified in the Linux kernel's JBD2 (Journaling Block Device) subsystem. This issue arises because the transaction handle may be a NULL pointer, leading to potential dereferencing errors. The vulnerability was discovered through fuzzing, which revealed a data-race condition in the 'jbd2_journal_dirty_metadata' function. The race condition occurs because the 'b_modified' field of the journal header is not properly synchronized, allowing concurrent tasks to interfere with each other's operations. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a data-race condition, causing undefined behavior in the kernel, such as memory corruption or incorrect handling of file system operations.

Reproduction

The vulnerability can be reproduced by using a fuzzer that targets the JBD2 subsystem, specifically the 'jbd2_journal_dirty_metadata' function. The fuzzer should create a scenario where two tasks concurrently access the same journal header, leading to a data-race condition. This can be achieved by manipulating the file system in a way that causes concurrent writes to the journal, such as by using multiple threads or processes that perform file operations simultaneously.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.