摘要:
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid accessing uninitialized curseg
syzbot reports a f2fs bug as below:
F2FS-fs (loop3): Stopped filesystem due to reason: 7
kworker/u8:7: attempt to access beyond end of device
BUG: unable to handle page fault for address: ffffed1604ea3dfa
RIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline]
RIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline]
RIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline]
RIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline]
RIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649
<TASK>
f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline]
f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791
write_inode fs/fs-writeback.c:1525 [inline]
__writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745
writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976
wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156
wb_do_writeback fs/fs-writeback.c:2303 [inline]
wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
worker_thread+0x870/0xd30 kernel/workqueue.c:3398
kthread+0x7a9/0x920 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Commit 8b10d3653735 ("f2fs: introduce FAULT_NO_SEGMENT") allows to trigger
no free segment fault in allocator, then it will update curseg->segno to
NULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed
to check the flag, and access invalid curseg->segno directly in below call
path, then resulting in panic:
- f2fs_write_inode
- f2fs_is_checkpoint_ready
- has_enough_free_secs
- has_not_enough_free_secs
- __get_secs_required
- has_curseg_enough_space
- get_ckpt_valid_blocks
: access invalid curseg->segno
To avoid this issue, let's:
- check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in
f2fs_write_inode().
- in has_curseg_enough_space(), save curseg->segno into a temp variable,
and verify its validation before use.
安全等级: Low
公告ID: KylinSec-SA-2025-2403
发布日期: 2025年6月5日
关联CVE: CVE-2025-22123
在Linux内核中,以下漏洞已修复:
f2fs:修复访问未初始化curseg的问题
syzbot报告了f2fs的如下缺陷:
F2FS-fs (loop3): 因原因7停止文件系统
kworker/u8:7: 尝试访问设备末尾之外的内存
BUG:无法处理地址ffffed1604ea3dfa的页错误
调用栈显示问题出现在检查点有效块获取逻辑链中:
get_ckpt_valid_blocks → has_curseg_enough_space → __get_secs_required → has_not_enough_free_secs → has_enough_free_secs
漏洞成因:
提交8b10d3653735引入的FAULT_NO_SEGMENT机制中,当分配器触发无可用段错误时,虽然将curseg->segno设为NULL_SEGNO,但f2fs_write_inode()未检查CP_ERROR_FLAG标志位,导致后续代码路径直接访问无效的curseg->segno指针,最终引发内核恐慌。
f2fs_write_inode → f2fs_is_checkpoint_ready →
has_enough_free_secs → has_not_enough_free_secs →
__get_secs_required → has_curseg_enough_space →
get_ckpt_valid_blocks
修复方案:
1. 在f2fs_write_inode()调用f2fs_is_checkpoint_ready()前,增加对CP_ERROR_FLAG标志位的检查
2. 在has_curseg_enough_space()函数中:
将curseg->segno保存到临时变量
使用前验证临时变量的有效性
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-22123 | KY3.4-5 | kernel | Unaffected |
| CVE-2025-22123 | V6 | kernel | Unaffected |
