CVE-2024-26935: Linux Kernel SCSI Core Vulnerability fix for unremoved procfs host directory regression
A vulnerability (CVE-2024-26935) has been discovered and resolved in the Linux Kernel related to the SCSI (Small Computer System Interface) core. This vulnerability could potentially allow attackers to exploit the unremoved procfs host directory regression issue. In this post, we will discuss the details of the vulnerability, the code snippet, and the links to the original references for the fix.
Exploit Details
The vulnerability was introduced by the commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") that aimed to fix a bug related to modules loading/unloading. However, it unintentionally led to a potential duplicate call to the hostdir_rm() routine. The regression report was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"), which dropped the hostdir_rm() call from dev_release().
It is crucial to note that the proc directory is created on scsi_host_alloc() and function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). Therefore, removing the proc directory on dev_release() was intended to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() did not happen. This pattern exists in some error paths, for instance.
Syzkaller triggers this issue by using a USB raw gadget device, causing an error on the usb-storage driver at usb_stor_probe2(). Checking that path reveals that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation without any call to scsi_add_host() in such a path. This leads to messages like the following in dmesg (and a leak of the SCSI host proc structure):
usb-storage 4-1:87.51: USB Mass Storage device detected
proc_dir_entry 'scsi/usb-storage' already registered
WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+x347/x4e fs/proc/generic.c:376
Proposed Fix
The recommended fix is to call scsi_proc_hostdir_rm() on dev_release(), guarded by the state check for SHOST_CREATED. This is detailed in the scsi_host_dev_release() comment for cases where the SCSI host was allocated but there were no calls to {add,remove}_host(), like the usb-storage case.
With this proposal, the error path of usb-storage does not trigger the warning anymore.
Links to Original References
1. Commit fc663711b944: scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
2. Commit be03df3d4bfe: scsi: core: Fix a procfs host directory removal regression
Conclusion
The vulnerability CVE-2024-26935 in the Linux kernel has been addressed through a proper fix that ensures the correct handling of scsi_proc_hostdir_rm() on dev_release() and avoids potential hazards. The application of this fix eliminates the previously reported warning messages and enhances the overall security of the Linux kernel, particularly in the handling of SCSI core operations.
Timeline
Published on: 05/01/2024 06:15:08 UTC
Last modified on: 11/21/2024 09:03:25 UTC