Linux Kernel EROFS File System Sanity Check Vulnerability in Encoded Extents

A vulnerability has been identified in the Linux kernel's EROFS (Enhanced Read-Only File System) component, specifically related to the handling of encoded extents. This issue, present in Linux versions starting from 6.15, can lead to system crashes. The vulnerability arises from two types of corrupted image files that, when processed, cause out-of-bounds memory access. The first type of corruption involves a length field (plen) that is not zero but fails a validity check, leading to improper handling of special extents. The second type involves a physical address that, when combined with the length, wraps around and accesses memory beyond the intended bounds, exploiting a lack of proper validation for physical block addresses.

Impact

Exploitation of this vulnerability can cause system crashes due to invalid memory access, potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by creating a corrupted EROFS image that includes encoded extents. One type of corrupted image should have a length field (plen) that is non-zero but does not pass the validity check, while another should include a physical address that, when processed, wraps around and causes an out-of-bounds access in the EROFS file system's compression handling function.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.