CVE-2023-54192

Vulnerability

Analysis

CVE-2023-54192 is a null pointer dereference vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) filesystem. The bug resides in the tracepoint used in the __replace_atomic_write_block function, where a pointer (old_addr) can be NULL when passed to the tracepoint macro. The commit description confirms that a panic occurred due to a NULL pointer dereference at address 0x0000000000000000, triggered during f2fs_commit_atomic_write [1].

Exploitation

The vulnerability is triggered during the commit of an atomic write operation via the f2fs_commit_atomic_write function, which is called from the __f2fs_ioctl handler. An attacker with local access and the ability to mount an f2fs filesystem and perform atomic write operations (via the F2FS_IOC_START_ATOMIC_WRITE and F2FS_IOC_COMMIT_ATOMIC_WRITE ioctls) can exploit this bug. No special privileges beyond normal filesystem access are required, as the ioctl is available to unprivileged users with write access to the filesystem. The crash occurs when the tracepoint attempts to dereference the NULL old_addr pointer, leading to a kernel panic [1].

Impact

Successful exploitation results in a denial of service (DoS) by causing a system crash (kernel panic). This can disrupt services and require a system reboot. The vulnerability does not appear to lead to privilege escalation or arbitrary code execution, as it is a null pointer dereference in a tracepoint, which is typically read-only and does not control execution flow beyond the crash [1].

Mitigation

The fix was included in Linux kernel stable releases. The commit (424f8cdc0ad2) checks for NULL old_addr before passing it to the tracepoint, preventing the dereference. Users should update their kernels to include this patch. The referenced stable kernel commit ensures the fix is backported to affected stable branches. No workaround is known other than applying the patch or disabling f2fs atomic write operations if possible [1].