F2FS Hit By Three Security Vulnerabilities: Memory Corruption, Possible Code Execution

Written by Michael Larabel in Linux Storage on 8 August 2017 at 05:47 AM EDT. 26 Comments
Btrfs isn't the only Linux file-system taking some heat but the Flash-Friendly File-System (F2FS) is now having a tough week with three CVEs going public.

Three CVEs were disclosed this morning that affect both Linux and Android, with Google's OS having already seen F2FS support. Discovered by Trend Micro researchers are vulnerabilities in F2FS' system structure passing. By mounting a malicious disk or local file image, memory corruption could happen that can yield out-of-boundary writes and in turn open the kernel up to arbitrary code execution.

CVE-2017-10663 is over a missing buffer boundary check, CVE-2017-10662 is regards to a possible integer overflow, and the third issue CVE-2017-0750 is another missing boundary check. The third issue though has been fixed in Linux 4.4.73, albeit many Android devices are running on kernels predating that LTS update.

More details on these newly-discovered F2FS file-system problems via Trend Micro's blog.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week