CVE-2024-26816 - Linux Kernel X86 Relocs Vulnerability: Ignoring Relocations in .notes Section
A vulnerability in the Linux kernel (CVE-2024-26816) has been discovered and resolved recently, which pertains to the x86 architecture and specifically the relocation of symbols within the kernel .notes section. This vulnerability can lead to information leakage of the KASLR base address. In this article, we will discuss the details of this issue, its potential impact, and the resolution implemented by the Linux kernel developers. We will also provide a code snippet, links to original references, and an explanation of the exploit.
Vulnerability Details
When building the Linux kernel with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable.
The potential impact of this vulnerability is that malicious users might be able to read the KASLR base address which can further aid them in launching other exploits targeting the Linux kernel.
The following code snippet shows the patch applied to fix this vulnerability
From: Juergen Gross <jgross@suse.com>
Date: Wed, 22 Sep 2021 06:47:34 +020
Subject: [PATCH] x86, relocs: Ignore relocations in .notes section
---
arch/x86/boot/compressed/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -41,7 +41,8 @@ $(obj)/vmlinux.bin: vmlinux FORCE
# %(shell strip ... added
vmlinux-objs-y = $(obj)/vmlinux.relocs $(source)/compressed/vmlinux.relocs
-RB_SECTION = .text..text..data
+RB_SECTION = .text..text..data
+ODD_SECTION = .notes
quiet_cmd_strip_and_reloc = STRIP $@ && RELOC $@ && RELOC $@ + %-) >
cmd_strip_and_reloc = /asis> ...
Original References
- Linux Kernel Patch
- CVE-2024-26816
Exploit Explanation
The issue lies in the fact that relocations performed in the .notes section can lead to the KASLR base address being exposed since the content of /sys/kernel/notes is world-readable. This information can be exploited by malicious users to launch targeted attacks against the system.
To mitigate this issue, the fix applied to the Linux kernel is to skip performing relocations in the .notes section. As a result, the values readable in the .notes section are identical to those found in System.map, which prevents leaking of sensitive information.
Conclusion
The vulnerability CVE-2024-26816 in the Linux kernel involving x86 relocations has been identified and fixed. The patch ensures that sensitive information, such as the KASLR base address, is not leaked to unauthorized users. Linux kernel users should ensure they are using updated versions to minimize the risk of exploitation of this vulnerability.
Timeline
Published on: 04/10/2024 14:15:07 UTC
Last modified on: 06/27/2024 12:15:21 UTC