Linux Kernel OCFS2 Inline Data Size Validation Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the OCFS2 file system of the Linux kernel. The issue arises in the 'ocfs2_validate_inode_block' function, which reads inodes from disk and performs sanity checks. However, it fails to validate the size of inline data. In cases of filesystem corruption, an inode's size can exceed the actual inline data capacity. This discrepancy allows the 'ocfs2_dir_foreach_blk_id' function to iterate beyond the inline data buffer, accessing directory entries from freed memory and triggering a use-after-free condition. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where the system accesses memory that has already been freed, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by creating a corrupted OCFS2 filesystem where an inode's size exceeds the inline data capacity. This can be done by manipulating the filesystem metadata to introduce inconsistencies, such as setting an excessively large inline data size while keeping the actual data capacity low. Once the corruption is in place, the 'ocfs2_dir_foreach_blk_id' function can be invoked, which will then iterate beyond the valid data buffer and access freed memory, triggering the use-after-free vulnerability.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.