Linux Kernel Romfs Filesystem Blocksize Handling Vulnerability

A vulnerability exists in the Linux kernel's handling of the Romfs filesystem, specifically in the function that fills the superblock. The issue arises because the function ignores the return value of a critical blocksize setting operation, which can lead to improper filesystem mounting. This vulnerability can be triggered by configuring a loop device with a blocksize larger than the standard page size, and then mounting a Romfs filesystem on that device. The mismatch in blocksize requirements can cause the filesystem to be mounted incorrectly, leading to a kernel error when the system attempts to read data using the oversized blocksize. This flaw has been addressed by modifying the Romfs implementation to properly check and respond to blocksize setting errors, ensuring that incompatible configurations are not allowed.

Impact

Mounting a Romfs filesystem with an incorrect blocksize can cause a kernel crash due to a triggered assertion failure. This crash occurs because the filesystem operations attempt to use a blocksize that exceeds the maximum allowed size, leading to a critical error in the kernel's buffer management.

Reproduction

To reproduce this vulnerability, first set a loop device's blocksize to 32768 bytes, which is larger than the default page size. This can be done using the LOOP_SET_BLOCK_SIZE ioctl command. After configuring the loop device, mount a Romfs filesystem on it. The Romfs implementation will attempt to set the blocksize to 4096 bytes, but will fail validation because 4096 is smaller than the device's logical blocksize of 32768. Despite this failure, Romfs will continue the mounting process, resulting in the superblock retaining the incorrect blocksize. When the filesystem is accessed, the mismatch will trigger a kernel bug, causing a crash.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.