jffs2: prevent xattr node from overflowing the eraseblock

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2024-38599
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2024-06-19 14:15:19 UTC
Updated2026-05-12 12:16:54 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Problem Types: CWE-125

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe 2904e1d9b64f72d291095e3cbb31634f08788b11 git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe 526235dffcac74c7823ed504dfac4f88d84ba5df git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8 git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe a1d21bcd78cf4a4353e1e835789429c6b76aca8b git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe f06969df2e40ab1dc8f4364a5de967830c74a098 git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe af82d8d2179b7277ad627c39e7e0778f1c86ccdb git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe 8d431391320c5c5398ff966fb3a95e68a7def275 git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe 978a12c91b38bf1a213e567f3c20e2beef215f07 git Not specified
CNA Linux Linux affected aa98d7cf59b5b0764d3502662053489585faf2fe c6854e5a267c28300ff045480b5a7ee7f6f1d913 git Not specified
CNA Linux Linux affected 2.6.18 Not specified
CNA Linux Linux unaffected 2.6.18 semver Not specified
CNA Linux Linux unaffected 4.19.316 4.19.* semver Not specified
CNA Linux Linux unaffected 5.4.278 5.4.* semver Not specified
CNA Linux Linux unaffected 5.10.219 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.161 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.93 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.33 6.6.* semver Not specified
CNA Linux Linux unaffected 6.8.12 6.8.* semver Not specified
CNA Linux Linux unaffected 6.9.3 6.9.* semver Not specified
CNA Linux Linux unaffected 6.10 * original_commit_for_fix Not specified
ADP Siemens SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem affected * custom Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-265688.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
lists.debian.org/debian-lts-announce/2024/06/msg00020.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org
git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report