Linux Kernel f2fs Out-of-Bounds Access Vulnerability in Sysfs Attributes

A vulnerability in the Linux kernel's f2fs file system allows for out-of-bounds memory access through certain sysfs attributes. This issue arises from improper handling of integer values that do not conform to a 4-byte size. Specifically, the sysfs interface permits the assignment of values exceeding the limits of their designated data types, leading to memory corruption. For instance, the 'carve_out' attribute, which corresponds to an 8-bit integer, can be set to values larger than 255, causing an out-of-range update. Similarly, the 'atgc_age_threshold' attribute, mapped to a 64-bit integer, cannot accurately process values exceeding UINT_MAX. The vulnerability stems from the '__sbi_store()' function treating all default values as unsigned integers, which disrupts the correct updating of larger integers and causes out-of-bounds writes for smaller ones. Additionally, the 'f2fs_sbi_show()' function's assumption that all default values are unsigned integers leads to out-of-bounds reads and incorrect access to larger integers.

Impact

Exploitation of this vulnerability results in out-of-bounds memory accesses, which can lead to memory corruption.

Reproduction

To reproduce this vulnerability, write a value greater than 255 to the '/sys/fs/f2fs/vde/carve_out' attribute. Then, read the value back, which will reflect the out-of-bounds update. Similarly, writing a value larger than UINT_MAX to the 'atgc_age_threshold' attribute will demonstrate the incorrect handling of larger integers.

Remediation

Users can update to the patched version of the Linux kernel where this vulnerability has been addressed.