CVE-2024-41014

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: add bounds checking to xlog_recover_process_data<br /> <br /> There is a lack of verification of the space occupied by fixed members<br /> of xlog_op_header in the xlog_recover_process_data.<br /> <br /> We can create a crafted image to trigger an out of bounds read by<br /> following these steps:<br /> 1) Mount an image of xfs, and do some file operations to leave records<br /> 2) Before umounting, copy the image for subsequent steps to simulate<br /> abnormal exit. Because umount will ensure that tail_blk and<br /> head_blk are the same, which will result in the inability to enter<br /> xlog_recover_process_data<br /> 3) Write a tool to parse and modify the copied image in step 2<br /> 4) Make the end of the xlog_op_header entries only 1 byte away from<br /> xlog_rec_header-&gt;h_size<br /> 5) xlog_rec_header-&gt;h_num_logops++<br /> 6) Modify xlog_rec_header-&gt;h_crc<br /> <br /> Fix:<br /> Add a check to make sure there is sufficient space to access fixed members<br /> of xlog_op_header.