APPLIED: [SRU][J][PATCH 0/1] CVE-2024-41014

Edoardo Canepa edoardo.canepa at canonical.com
Thu Feb 5 11:49:39 UTC 2026 

Applied to jammy:linux/master-next. Thanks.

On 2/3/26 09:41, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-41014
>
> [ Impact ]
>
> xfs: add bounds checking to xlog_recover_process_data
>
> There is a lack of verification of the space occupied by fixed members
> of xlog_op_header in the xlog_recover_process_data.
>
> We can create a crafted image to trigger an out of bounds read by
> following these steps:
>      1) Mount an image of xfs, and do some file operations to leave records
>      2) Before umounting, copy the image for subsequent steps to simulate
>         abnormal exit. Because umount will ensure that tail_blk and
>         head_blk are the same, which will result in the inability to enter
>         xlog_recover_process_data
>      3) Write a tool to parse and modify the copied image in step 2
>      4) Make the end of the xlog_op_header entries only 1 byte away from
>         xlog_rec_header->h_size
>      5) xlog_rec_header->h_num_logops++
>      6) Modify xlog_rec_header->h_crc
>
> Add a check to make sure there is sufficient space to access fixed members
> of xlog_op_header.
>
>
> [ Fix ]
>
> Backport fix commit from mainline:
> - fb63435b7c7d xfs: add bounds checking to xlog_recover_process_data
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Where Problems Could Occur ]
>
> The fix adds a simple check in the recovery process of XFS,
> which gets called when mounting the filesystem.
> A proble with the patch will cause errors during mounting
> of XFS partitions.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260205/9484a6ca/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260205/9484a6ca/attachment-0001.sig>

More information about the kernel-team mailing list