Linux Kernel OCFS2 Suballocation Chain Vulnerability Causes Kernel Panic

A vulnerability in the Linux kernel's OCFS2 file system has been addressed, which caused a kernel panic by triggering a BUG_ON condition. This issue arose because the 'cl_next_free_rec' field, indicating the next available slot in the allocation chain list, was zero. This situation led to a failure in the 'ocfs2_find_victim_chain()' function, as the absence of free chains caused the kernel to panic. The vulnerability has been resolved by introducing a conditional check in the 'ocfs2_claim_suballoc_bits()' function. This check ensures that the 'cl_next_free_rec' value is valid before proceeding to find a victim chain, thereby preventing the kernel panic.

Impact

Exploitation of this vulnerability would lead to a kernel panic, causing a denial of service by abruptly stopping the kernel's operations.

Reproduction

The vulnerability can be reproduced by creating a scenario where the 'cl_next_free_rec' field of the allocation chain list is set to zero. This can be done by exhausting all available chains in the allocation process, leaving no free slots for the 'ocfs2_find_victim_chain()' function to utilize. Once this condition is met, the kernel will panic, demonstrating the vulnerability.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.