CVE-2024-26816 - Linux Kernel X86 Relocs Vulnerability: Ignoring Relocations in .notes Section

A vulnerability in the Linux kernel (CVE-2024-26816) has been discovered and resolved recently, which pertains to the x86 architecture and specifically the relocation of symbols within the kernel .notes section. This vulnerability can lead to information leakage of the KASLR base address. In this article, we will discuss the details of this issue, its potential impact, and the resolution implemented by the Linux kernel developers. We will also provide a code snippet, links to original references, and an explanation of the exploit.

Vulnerability Details

When building the Linux kernel with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable.

The potential impact of this vulnerability is that malicious users might be able to read the KASLR base address which can further aid them in launching other exploits targeting the Linux kernel.

The following code snippet shows the patch applied to fix this vulnerability

From: Juergen Gross <jgross@suse.com>
Date: Wed, 22 Sep 2021 06:47:34 +020
Subject: [PATCH] x86, relocs: Ignore relocations in .notes section
---
arch/x86/boot/compressed/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
 @@ -41,7 +41,8 @@ $(obj)/vmlinux.bin: vmlinux FORCE
 # %(shell strip ... added

 vmlinux-objs-y = $(obj)/vmlinux.relocs $(source)/compressed/vmlinux.relocs
-RB_SECTION = .text..text..data
+RB_SECTION = .text..text..data
+ODD_SECTION = .notes

 quiet_cmd_strip_and_reloc = STRIP $@ && RELOC $@ && RELOC $@ + %-) >
 cmd_strip_and_reloc = /asis> ...

Original References

- Linux Kernel Patch
- CVE-2024-26816

Exploit Explanation

The issue lies in the fact that relocations performed in the .notes section can lead to the KASLR base address being exposed since the content of /sys/kernel/notes is world-readable. This information can be exploited by malicious users to launch targeted attacks against the system.

To mitigate this issue, the fix applied to the Linux kernel is to skip performing relocations in the .notes section. As a result, the values readable in the .notes section are identical to those found in System.map, which prevents leaking of sensitive information.

Conclusion

The vulnerability CVE-2024-26816 in the Linux kernel involving x86 relocations has been identified and fixed. The patch ensures that sensitive information, such as the KASLR base address, is not leaked to unauthorized users. Linux kernel users should ensure they are using updated versions to minimize the risk of exploitation of this vulnerability.

Timeline

Published on: 04/10/2024 14:15:07 UTC
Last modified on: 06/27/2024 12:15:21 UTC