Linux Kernel XFS Filesystem Attribute Leaf Freemap Entry Deletion Vulnerability

A vulnerability exists in the XFS filesystem implementation of the Linux kernel, specifically within the attribute leaf handling of extended attributes (xattrs). This issue arises from a freemap size underflow, which can leave behind zero-length freemap entries with nonzero bases. Such entries can cause overlaps with other freemap entries during subsequent setxattr operations, leading to data loss by allowing xattr name-value entries to be allocated on top of the entries array. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to data loss by overwriting existing entries in the extended attribute name-value array.

Reproduction

The vulnerability can be reproduced by adding extended attributes to a file in a way that triggers the freemap size underflow. This can be done by appending enough data to exceed the current allocation, causing the freemap to incorrectly calculate the available free space. After this, additional setxattr operations can be performed to increase the base of the freemap entry, creating an overlap with another entry, which will result in data loss.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.