CVE-2023-53796

Vulnerability

Details The vulnerability resides in f2fs_move_inline_dentrs() within the Linux kernel's f2fs filesystem. When converting an inline directory to a regular one, the function fails to zero-initialize the entire directory block before writing it to disk. This is a regression introduced by commit 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry"), which inadvertently removed initialization, leading to uninitialized memory being leaked to disk [1].

Attack

Vector Exploitation requires the ability to trigger conversion of an inline directory on an f2fs filesystem. This can be achieved by creating and then moving a sufficient number of directory entries to exceed the inline capacity, causing the kernel to convert the directory. No special privileges beyond standard file system operations are needed, but the attacker must have write access to the filesystem. The leak occurs during the conversion process, which is triggered by user-space operations.

Impact

The uninitialized memory may contain sensitive kernel heap data. When written to disk, this data persists and could be read by an attacker with access to the raw block device or through a subsequent read of the directory content. This constitutes an information disclosure vulnerability that could expose secrets such as kernel addresses or other sensitive data.

Mitigation

The fix was applied in Linux kernel commits that zero-initialize the directory block before writing. Users should update their kernels to include the fix. The vulnerability was discovered via KMSAN (Kernel Memory Sanitizer) while running xfstest generic/435.