CVE-2023-54132

Vulnerability

Overview

CVE-2023-54132 is a kernel memory safety vulnerability in the EROFS (Enhanced Read-Only File System) implementation. The root cause is the lack of validation for the clusterofs field in non-compact HEAD indexes. A crafted filesystem image can supply an out-of-range value (e.g., 33024 vs. the valid range 0..lclustersize-1), which leads to a page fault when the decompression engine attempts to access memory using this invalid offset [1].

Attack

Vector and Prerequisites

An attacker must be able to mount a malicious EROFS image, typically by tricking a local user or a privileged process into accessing a storage device or loopback file that contains the crafted image. The vulnerability is triggered during the decompression workqueue (z_erofs_decompressqueue_work) when a non-compact index is parsed. No additional authentication or network access is required once the malicious image is mounted. The attack surface is limited to systems where untrusted filesystem images can be introduced, such as sandboxed environments or systems that automatically mount removable media [1].

Impact

A successful exploit causes a kernel panic (BUG: unable to handle page fault) resulting in a denial of service. The log shows an Oops with a non-present page at an address derived from the invalid clusterofs. While the report does not confirm remote code execution, the nature of the out-of-bounds access could, in principle, be leveraged for privilege escalation or arbitrary code execution by an attacker who can carefully control the memory layout [1].

Mitigation

The fix was applied to the Linux kernel stable trees in commits [1], [2], and [3], which add bounds checking for the clusterofs field before it is used. Users should update their kernel to a version that includes these patches. No workaround is available other than avoiding the use of untrusted EROFS images on unpatched systems [1].