CVE-2024-44942

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description The vulnerability is related to the f2fs file system in the Linux kernel. It is caused by the lack of input validation in the gc data segment() function, which can lead to a bug when the F2FS INLINE DATA flag is set in an inode during garbage collection. This bug can cause the kernel to crash or become unstable. The root cause of the issue is that the inline data inode can be fuzzed, resulting in a valid block address in its direct node. When the f2fs file system triggers background garbage collection to migrate the block, it hits a bug during dirty page writeback. To fix this issue, a sanity check on the F2FS INLINE DATA flag in the inode during garbage collection has been added.

Recommendations To resolve this issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider disabling the f2fs write inline data() function until a patch is available. Restrict access to the vulnerable fs/f2fs/inline.c module to minimize the risk of exploitation. Avoid using the F2FS INLINE DATA flag in the affected API endpoints until the issue is resolved.