CVE-2024-38599: jffs2: prevent xattr node from overflowing the eraseblock
In the Linux kernel, the following vulnerability has been resolved:
jffs2: prevent xattr node from overflowing the eraseblock
Add a check to make sure that the requested xattr node size is no larger
than the eraseblock minus the cleanmarker.
Unlike the usual inode nodes, the xattr nodes aren't split into parts
and spread across multiple eraseblocks, which means that a xattr node
must not occupy more than one eraseblock. If the requested xattr value is
too large, the xattr node can spill onto the next eraseblock, overwriting
the nodes and causing errors such as:
jffs2: argh. node added in wrong place at 0x0000b050(2)
jffs2: nextblock 0x0000a000, expected at 0000b00c
jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,
read=0xfc892c93, calc=0x000000
jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed
at 0x01e00c. {848f,2fc4,0fef511f,59a3d171}
jffs2: Node at 0x0000000c with length 0x00001044 would run over the
end of the erase block
jffs2: Perhaps the file system was created with the wrong erase size?
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
at 0x00000010: 0x1044 instead
This breaks the filesystem and can lead to KASAN crashes such as:
BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0
Read of size 4 at addr ffff88802c31e914 by task repro/830
CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Arch Linux 1.16.3-1-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xc6/0x120
print_report+0xc4/0x620
? __virt_addr_valid+0x308/0x5b0
kasan_report+0xc1/0xf0
? jffs2_sum_add_kvec+0x125e/0x15d0
? jffs2_sum_add_kvec+0x125e/0x15d0
jffs2_sum_add_kvec+0x125e/0x15d0
jffs2_flash_direct_writev+0xa8/0xd0
jffs2_flash_writev+0x9c9/0xef0
? __x64_sys_setxattr+0xc4/0x160
? do_syscall_64+0x69/0x140
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[...]
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel JFFS2 filesystem bug. A too-large extended attribute can cross a flash eraseblock boundary, corrupting filesystem data and triggering kernel memory-safety crashes. The public sources do not provide a CVSS score or evidence of active exploitation.
Executive priority
Treat as a targeted kernel reliability and availability risk, not a broad internet-facing emergency. Patch during the next kernel maintenance window, faster for products or systems that expose writable JFFS2 storage to users or tenants.
Technical view
JFFS2 xattr nodes are not split across eraseblocks. Missing size validation allowed an xattr node larger than the eraseblock minus cleanmarker, causing overwrite of adjacent nodes, CRC failures, filesystem breakage, and KASAN slab-out-of-bounds crashes. Stable Linux fixes add a bounds check.
Likely exposure
Exposure is most likely on Linux systems that mount JFFS2 filesystems and allow creation or modification of extended attributes. JFFS2 is flash-oriented; validate appliances, embedded Linux images, recovery partitions, and any Linux hosts using JFFS2.
Exploitation context
The bundle cites Syzkaller discovery and kernel crash output, but no KEV listing and no cited active exploitation. Practical impact appears to require access capable of setting large xattrs on a JFFS2 filesystem.
Researcher notes
The key boundary is xattr node length versus eraseblock size minus cleanmarker. Sources describe corruption and KASAN out-of-bounds reads after malformed oversized xattr storage. They do not establish privilege escalation, remote reachability, or exploit availability.
Mitigation direction
Upgrade to a Linux kernel build containing the referenced stable fixes.
Prioritize systems that mount JFFS2 filesystems with writable extended attributes.
Check Debian LTS and vendor advisories for packaged kernel updates.
Restrict untrusted write access to JFFS2 filesystems where patching is delayed.
Validation and detection
Inventory systems for mounted JFFS2 filesystems and kernel versions.
Map deployed kernels against vendor-fixed package versions or stable commit inclusion.
Review kernel logs for JFFS2 CRC failures, wrong-place nodes, or KASAN reports.
Confirm xattr usage and write access on any JFFS2-backed paths.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-38599 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.