ACK: [SRU][J][PATCH 0/1] CVE-2024-41014
Tim Whisonant
tim.whisonant at canonical.com
Wed Feb 4 01:31:22 UTC 2026
On Tue, Feb 03, 2026 at 09:41:12AM +0100, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-41014
>
> [ Impact ]
>
> xfs: add bounds checking to xlog_recover_process_data
>
> There is a lack of verification of the space occupied by fixed members
> of xlog_op_header in the xlog_recover_process_data.
>
> We can create a crafted image to trigger an out of bounds read by
> following these steps:
> 1) Mount an image of xfs, and do some file operations to leave records
> 2) Before umounting, copy the image for subsequent steps to simulate
> abnormal exit. Because umount will ensure that tail_blk and
> head_blk are the same, which will result in the inability to enter
> xlog_recover_process_data
> 3) Write a tool to parse and modify the copied image in step 2
> 4) Make the end of the xlog_op_header entries only 1 byte away from
> xlog_rec_header->h_size
> 5) xlog_rec_header->h_num_logops++
> 6) Modify xlog_rec_header->h_crc
>
> Add a check to make sure there is sufficient space to access fixed members
> of xlog_op_header.
>
>
> [ Fix ]
>
> Backport fix commit from mainline:
> - fb63435b7c7d xfs: add bounds checking to xlog_recover_process_data
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Where Problems Could Occur ]
>
> The fix adds a simple check in the recovery process of XFS,
> which gets called when mounting the filesystem.
> A proble with the patch will cause errors during mounting
> of XFS partitions.
>
>
Acked-by: Tim Whisonant <tim.whisonant at canonical.com>
More information about the kernel-team
mailing list