CVE-2024-26870: Linux kernel vulnerability in NFSv4.2 resolved - Fixing the nfs4_listxattr kernel BUG

A newly discovered vulnerability in the Linux kernel (CVE-2024-26870) has been resolved. It affects the Network File System version 4.2 (NFSv4.2), specifically the nfs4_listxattr kernel. The issue was related to a kernel BUG at mm/usercopy.c:102.

Here is a basic overview of the problem

- In NFSv4.2, a call to listxattr() with a buffer size set to returned the actual size of the buffer needed for a subsequent call.
- When the buffer size was greater than , nfs4_listxattr() did not return an error, and either generic_listxattr() or nfs4_listxattr_nfs4_label() consumed all the bytes, causing the size to be when calling nfs4_listxattr_nfs4_user(). This led to the kernel BUG being triggered.

A detailed log of the kernel BUG can be found in the original references

- Linux Kernel Mailing List - Patch Submitted
- Linux Kernel Mailing List - Patch Accepted

The resolution involved checking nfs4_listxattr() to return an ERANGE error if the function is called with a buffer size greater than and the return value is larger than the buffer size.

Implementing the resolution involves the following code snippet

u32 size;

size = generic_listxattr(file) + nfs4_listxattr_nfs4_label(file);
nfs4_listxattr_nfs4_user(file, buffer, size);

Add the check on the return value of nfs4_listxattr()

if ((size > ) && (size > count)) {
  return -ERANGE;
}

By adding this check, the kernel BUG is resolved, preventing crashes and improving the overall stability of the Linux kernel when working with the NFSv4.2 file system.

In conclusion, the discovered vulnerability (CVE-2024-26870) in the Linux kernel has been resolved, thanks to the hard work of the open-source community. It is essential to stay up to date with the latest Linux kernel patches to ensure the security and stability of your systems.

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 06/25/2024 23:15:26 UTC