Linux Kernel Journal Metadata Payload Size Validation Vulnerability in RAID5 Component

A vulnerability in the Linux kernel's RAID5 journal metadata handling has been addressed. The issue arose because certain recovery functions processed payloads using on-disk size fields without verifying them against the available space in the metadata block. This oversight could lead to out-of-bounds reads, particularly when a journal was corrupted and contained payload sizes exceeding the PAGE_SIZE limit. The vulnerability has been mitigated by introducing proper bounds validation for each payload type, ensuring that all data fits within the designated metadata size before any processing occurs.

Impact

Exploitation of this vulnerability could lead to out-of-bounds reads, potentially allowing for memory corruption or information disclosure.

Reproduction

The vulnerability can be reproduced by creating a RAID5 array with a corrupted journal that includes payload sizes extending beyond the PAGE_SIZE limit. This can be done by manipulating the journal metadata to introduce invalid payload sizes. Once the corrupted journal is in place, the RAID5 recovery functions will attempt to process the metadata, leading to out-of-bounds reads.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation.