CVE-2024-25739: Linux Kernel Crash due to Zero-byte Allocation in Create_Empty_Lvol Function

In this post, we will be discussing about the security vulnerability CVE-2024-25739 discovered in the Linux kernel prior to version 6.7.4. The vulnerability is associated with the function create_empty_lvol() in the file drivers/mtd/ubi/vtbl.c, which can crash the system due to a missing check for the variable ubi->leb_size. We will explain the exploit details, show a code snippet that demonstrates the issue, and provide references to the original sources for further information.

Exploit Details

The vulnerability arises from the improper handling of an edge case, where the function create_empty_lvol() in the Universal Block I/O (UBI) layer of the Linux kernel can attempt to allocate a memory buffer of zero bytes, leading to unpredictable behavior and system crashes. A malicious actor with local access to the system could exploit this issue to gain unauthorized privileges, cause a Denial of Service (DoS) attack, or execute arbitrary code.

To understand the vulnerability, let's take a look at the problematic part of the code in the file drivers/mtd/ubi/vtbl.c:

static struct ubi_volume *create_empty_lvol(struct ubi_device *ubi, int vol_id)
{
    ...
    vol->usable_leb_size = ubi->leb_size;
    vol->used_ebs = ;
    vol->used_bytes = ;
    ...
}

Here, the create_empty_lvol() function is allocating an empty volume that is expected to hold Logical Erase Blocks (LEBs) for the UBIFS file system. The function takes two parameters:

* ubi: A pointer to a ubi_device structure, which represents the UBI device handling the flash memory.
* vol_id: The ID of the volume that will be created.

In the code snippet above, the variable vol->usable_leb_size is assigned ubi->leb_size, which represents the size of the LEBs. However, there is no validation check to ensure that ubi->leb_size is not zero. If ubi->leb_size is zero, the system will attempt to allocate zero bytes in further memory management functions, which could cause an unexpected kernel crash.

The vulnerability was initially reported by Borja Marcos and later addressed by kernel developer Rasmus Villemoes in the following patch:

Linux kernel patch fixing CVE-2024-25739

The associated entry in the Common Vulnerabilities and Exposures (CVE) database can be found here

CVE-2024-25739 entry in the CVE database

Kernel.org provides the patch details that fix this vulnerability in the Linux kernel version 6.7.4

Linux Kernel v6.7.4 Changelog

Conclusion

CVE-2024-25739 highlights a critical security vulnerability in the Linux kernel versions prior to 6.7.4, which could lead to crashes, unauthorized access, and malicious code execution. This issue emphasizes the importance of ongoing vulnerability scanning, patching, and keeping up-to-date with the Linux kernel and other open-source software regularly.

To protect your system from this vulnerability, it is highly recommended to update the Linux kernel to version 6.7.4 or later, which contains the patch that resolves this issue.

Timeline

Published on: 02/12/2024 03:15:32 UTC
Last modified on: 03/25/2024 01:15:55 UTC