Linux Kernel OCFS2 Extent Cache Staleness Vulnerability Allowing BUG_ON Trigger

A vulnerability in the Linux kernel's OCFS2 file system can lead to a stale extent map cache when extents are moved or defragmented. This issue causes subsequent operations to encounter outdated extent flags, triggering a BUG_ON condition in the 'ocfs2_refcount_cal_cow_clusters()' function. The problem arises when the 'copy_file_range()' function creates a reflinked extent marked as 'OCFS2_EXT_REFCOUNTED'. Following this, the 'ioctl(FITRIM)' command activates the 'ocfs2_move_extents()' function, which reads and caches the extent flags. However, the extent map cache is not invalidated after the move, leading to a mismatch between the cached flags and the updated flags on disk. This discrepancy causes a BUG_ON condition to trigger, indicating a critical error that could disrupt normal operations.

Impact

Exploitation of this vulnerability causes a BUG_ON condition to trigger in the 'ocfs2_refcount_cal_cow_clusters()' function, indicating a critical error that disrupts normal operations.

Reproduction

The vulnerability can be reproduced by creating a reflinked extent in an OCFS2 file system using the 'copy_file_range()' function. After the extent is created, the 'ioctl(FITRIM)' command can be used to trigger the 'ocfs2_move_extents()' function. This process will read and cache the extent flags. However, the subsequent 'ocfs2_move_extent()' or 'ocfs2_defrag_extent()' functions will clear the 'OCFS2_EXT_REFCOUNTED' flag on disk without invalidating the extent map cache. As a result, later write operations will read the stale cached flags, causing a mismatch that triggers the BUG_ON condition.

Remediation

The vulnerability has been addressed by modifying the 'ocfs2_move_extents_range()' function to clear the extent map cache after each move or defragment operation. This change ensures that subsequent operations read the most current extent data from the disk.