Linux Kernel F2FS Filesystem Swapfile Block Mapping Vulnerability

A vulnerability in the Linux kernel's F2FS filesystem has been identified, specifically in versions 6.6 and later. This issue arises when using a swapfile smaller than 2MB that is not aligned to section boundaries, leading to improper mapping of swapfile extents. As a result, data writes can overwrite incorrect physical locations, causing corruption of other files' data. The problem does not occur with the ext4 filesystem.

Impact

Exploitation of this vulnerability can lead to data corruption on the F2FS filesystem, causing errors that disrupt normal device operation. This includes triggering dm-verity corruption errors that can cause a device to reboot, or F2FS node corruption errors that result in boot hangs.

Reproduction

To reproduce this vulnerability, set up a device with an F2FS-formatted userdata partition. Ensure the swapfile size is less than 2MB and has a fragmented physical layout with multiple non-contiguous extents. Then, run the swap stress test using the stress-ng tool, which can be compiled from its GitHub repository. The test should be executed with parameters that simulate the conditions required to trigger the vulnerability, such as using a small, unaligned swapfile on an F2FS filesystem with kernel 6.6 or later.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.