[PATCH 1/2] jffs2: reject truncated summary node before header validation

Michael Bommarito michael.bommarito at gmail.com
Wed Apr 15 05:48:12 PDT 2026 

jffs2_sum_scan_sumnode() is called from jffs2_scan_eraseblock() with
sumsize derived from the on-flash jffs2_sum_marker::offset:

    sumlen = c->sector_size - je32_to_cpu(sm->offset);

A crafted flash image can set sm->offset so that
sumsize < JFFS2_SUMMARY_FRAME_SIZE
(= sizeof(struct jffs2_raw_summary) + sizeof(struct jffs2_sum_marker)
= 40, the minimum frame the writer at jffs2_sum_write_sumnode() emits
and the minimum sumlen that corresponds to a legitimate on-flash
layout).  The function then reads the summary header unchecked:

    crcnode.totlen = summary->totlen;            /* offset +4 */
    crc = crc32(0, &crcnode, sizeof(crcnode)-4);
    if (je32_to_cpu(summary->hdr_crc) != crc)    /* offset +8 */
        goto crc_err;
    if (je32_to_cpu(summary->totlen) != sumsize)
        goto crc_err;
    crc = crc32(0, summary, sizeof(struct jffs2_raw_summary)-8);
    if (je32_to_cpu(summary->node_crc) != crc)   /* offset +28 */
        goto crc_err;
    crc = crc32(0, summary->sum,
                sumsize - sizeof(struct jffs2_raw_summary));

Each header read at offset +4, +8 and +28 of a too-small buffer is a
slab out-of-bounds read.  Worse, sumsize - sizeof(struct
jffs2_raw_summary) underflows in size_t and the final crc32() walks
~16 EiB of memory, which translates to a kernel oops on mount once the
walk hits unmapped memory.

Reachable whenever a crafted JFFS2 flash image is mounted: typical in
embedded systems where flash can be rewritten out-of-band (JTAG, SPI
flasher, hostile firmware update) and the device auto-mounts JFFS2 on
boot, or any CAP_SYS_ADMIN context that supplies the MTD backing.

Bounding on JFFS2_SUMMARY_FRAME_SIZE matches the actual on-flash frame
layout the writer emits and does not reject any legitimate image.

Reproduced on v7.0-rc7 under UML + CONFIG_KASAN=y with a 16 MiB
block2mtd-backed image whose first erase block's jffs2_sum_marker
points at sector_size; pre-fix:

  BUG: KASAN: slab-out-of-bounds in jffs2_sum_scan_sumnode+0x131/0x1611
  Read of size 4 at addr 00000000621fb004 by task mount/31
  Allocated by mtd_kmalloc_up_to via jffs2_scan_medium+0x246
  Located 4 bytes to the right of allocated 4096-byte region

Post-fix the same image is rejected cleanly with a warning and mount
falls back to the full scan path.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito at gmail.com>
---
 fs/jffs2/summary.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c
index 4521a7723f30..150a9c83cb05 100644
--- a/fs/jffs2/summary.c
+++ b/fs/jffs2/summary.c
@@ -577,6 +577,15 @@ int jffs2_sum_scan_sumnode(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb
 	int ret, ofs;
 	uint32_t crc;
 
+	/* Reject frames that can't hold the header + marker the writer
+	 * always emits (also blocks the sumsize - sizeof(*summary)
+	 * size_t underflow at the sum_crc check below). */
+	if (sumsize < JFFS2_SUMMARY_FRAME_SIZE) {
+		JFFS2_WARNING("Summary node too small (%u bytes), skipping.\n",
+			      sumsize);
+		return 0;
+	}
+
 	ofs = c->sector_size - sumsize;
 
 	dbg_summary("summary found for 0x%08x at 0x%08x (0x%x bytes)\n",
-- 
2.53.0

More information about the linux-mtd mailing list