Linux Kernel ext4 Fast Commit Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's ext4 file system, specifically within the fast commit feature. The issue arises in versions prior to the patch included in this CVE, where the function 'ext4_inode_attach_jinode()' incorrectly published the 'jinode' pointer to concurrent users before it was fully initialized. This allowed a reader to see a non-NULL 'jinode' while the associated 'i_vfs_inode' was still unset. Consequently, the fast commit flush path could pass this 'jinode' to 'jbd2_wait_inode_data()', which dereferenced 'i_vfs_inode->i_mapping', leading to a page fault and potential crash. The vulnerability has been addressed by ensuring that the 'jbd2_inode' is fully initialized before being published, using memory barriers to prevent concurrent read/write issues.

Impact

Exploitation of this vulnerability can cause a kernel crash due to a page fault, disrupting system operations and potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by attaching a 'jinode' to an inode in the ext4 file system's fast commit queue before the 'jbd2_inode' is initialized. This can be done by manually publishing the 'jinode' pointer in the 'ext4_inode_attach_jinode()' function, then triggering a fast commit flush that waits for inode data, which will dereference the uninitialized 'i_vfs_inode' and cause a crash.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Archive.