CVE-2024-39467: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
syzbot reports a kernel bug as below:
F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4
==================================================================
BUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]
BUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]
BUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600
Read of size 1 at addr ffff88807a58c76c by task syz-executor280/5076
CPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]
current_nat_addr fs/f2fs/node.h:213 [inline]
f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600
f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]
f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925
ioctl_fiemap fs/ioctl.c:220 [inline]
do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838
__do_sys_ioctl fs/ioctl.c:902 [inline]
__se_sys_ioctl+0x81/0x170 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The root cause is we missed to do sanity check on i_xattr_nid during
f2fs_iget(), so that in fiemap() path, current_nat_addr() will access
nat_bitmap w/ offset from invalid i_xattr_nid, result in triggering
kasan bug report, fix it.
Security readout for executives and security teams
Plain-English summary
CVE-2024-39467 is a Linux kernel F2FS filesystem bug. A missing sanity check on inode extended-attribute metadata can make the kernel read outside an expected memory area during FIEMAP handling. The source shows a syzbot/KASAN crash report, but no CVSS score, CWE, confirmed exploitation, or business impact rating.
Executive priority
Treat as a targeted kernel maintenance item, not an emergency internet-wide issue. Prioritize faster where Linux systems process removable media, disk images, mobile/storage workloads, or untrusted F2FS volumes.
Technical view
In F2FS, sanity_check_inode() did not validate i_xattr_nid during f2fs_iget(). In the fiemap path, f2fs_get_node_info() can derive an invalid NAT bitmap offset from that field, causing a slab out-of-bounds read detected by KASAN. Kernel stable commits add the missing validation.
Likely exposure
Exposure appears limited to Linux systems using or mounting F2FS filesystems. The bundle lists Linux as affected across multiple kernel branches, but does not identify distributions, appliances, or default configurations. Systems that never enable or mount F2FS are less likely to be exposed.
Exploitation context
The evidence is a syzbot-generated kernel bug report on a mounted F2FS loop device. The bundle marks KEV as false and provides no cited evidence of active exploitation, public weaponization, or remote attack paths.
Researcher notes
The source does not assign CVSS or CWE. Impact is inferred only from the reported slab out-of-bounds read and KASAN crash path, so avoid overstating confidentiality, integrity, or availability consequences without vendor confirmation.
Mitigation direction
Update to a Linux kernel containing the referenced stable F2FS fixes.
Check your Linux distribution advisory for backported fixes and package versions.
Avoid mounting untrusted F2FS filesystems until patched.
Disable or remove F2FS support where it is not operationally required.
Validation and detection
Inventory Linux systems with F2FS support enabled or F2FS volumes mounted.
Compare running kernel builds against vendor-fixed package versions or stable fix commits.
Review kernel logs for F2FS, KASAN, or FIEMAP-related crash evidence.
Confirm patched systems can mount required F2FS volumes without regression.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-39467 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.