CVE-2026-23235

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix out-of-bounds access in sysfs attribute read/write<br /> <br /> Some f2fs sysfs attributes suffer from out-of-bounds memory access and<br /> incorrect handling of integer values whose size is not 4 bytes.<br /> <br /> For example:<br /> vm:~# echo 65537 &gt; /sys/fs/f2fs/vde/carve_out<br /> vm:~# cat /sys/fs/f2fs/vde/carve_out<br /> 65537<br /> vm:~# echo 4294967297 &gt; /sys/fs/f2fs/vde/atgc_age_threshold<br /> vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold<br /> 1<br /> <br /> carve_out maps to {struct f2fs_sb_info}-&gt;carve_out, which is a 8-bit<br /> integer. However, the sysfs interface allows setting it to a value<br /> larger than 255, resulting in an out-of-range update.<br /> <br /> atgc_age_threshold maps to {struct atgc_management}-&gt;age_threshold,<br /> which is a 64-bit integer, but its sysfs interface cannot correctly set<br /> values larger than UINT_MAX.<br /> <br /> The root causes are:<br /> 1. __sbi_store() treats all default values as unsigned int, which<br /> prevents updating integers larger than 4 bytes and causes out-of-bounds<br /> writes for integers smaller than 4 bytes.<br /> <br /> 2. f2fs_sbi_show() also assumes all default values are unsigned int,<br /> leading to out-of-bounds reads and incorrect access to integers larger<br /> than 4 bytes.<br /> <br /> This patch introduces {struct f2fs_attr}-&gt;size to record the actual size<br /> of the integer associated with each sysfs attribute. With this<br /> information, sysfs read and write operations can correctly access and<br /> update values according to their real data size, avoiding memory<br /> corruption and truncation.