Linux Kernel OCFS2 Out-of-Bounds Write Vulnerability in Inline Data Handling

A vulnerability has been identified in the Linux kernel's OCFS2 file system, specifically in the handling of inline data. This issue arises from a flaw in the 'ocfs2_write_end_inline' function, which is called during a 'copy_file_range' operation on a corrupted OCFS2 file system mounted as a loop device. The vulnerability leads to an out-of-bounds write of 4086 bytes, overwriting an adjacent freed page. This issue is reported by KASAN as a use-after-free error, although it is primarily an out-of-bounds write problem. The root cause lies in the 'ocfs2_try_to_write_inline_data' function, which improperly relies on the on-disk 'id_count' field to assess whether a write fits within the inline data limits. On a corrupted file system, 'id_count' can exceed the maximum allowable inline data capacity, causing writes to overflow the inode block buffer.

Impact

Exploitation of this vulnerability causes a use-after-free write, where the write operation exceeds the allocated buffer and into a freed memory area, potentially leading to memory corruption or arbitrary code execution.

Reproduction

To reproduce this vulnerability, mount a corrupted OCFS2 file system on a loop device. Then, perform a 'copy_file_range' operation that triggers the 'ocfs2_write_end_nolock' function. This will invoke the 'ocfs2_write_end_inline' function, where the out-of-bounds write will occur, overwriting an adjacent freed page.

Remediation

The vulnerability has been addressed by adding an upper bound check for the 'id_count' field in the 'ocfs2_validate_inode_block' function, ensuring it does not exceed the maximum inline data capacity. Users should update to the latest version of the Linux kernel where this fix has been applied.