CVE-2024-26955 - Linux Kernel Vulnerability Resolved: nilfs2 Prevents Kernel Bug at submit_bh_wbc()

Security is a top priority in software development, and even the most secure operating systems are susceptive to vulnerabilities. One recent example is a bug in the Linux kernel, commonly referred to as CVE-2024-26955. This critical vulnerability affects the nilfs2 component of the Linux kernel, mainly dealing with filesystem management. The Linux kernel developers have successfully addressed and resolved this issue through a significant patch.

The Issue

The main problematic function in this vulnerability is nilfs_get_block() which returns a successful status when searching and inserting the specified block both fail inconsistently. Under normal circumstances, the function should not trigger an error when this inconsistency occurs. However, if the inconsistency is due to a previously fixed bug or an unexpected race condition, the function would return a temporary error, -EAGAIN.

This inconsistent behavior is problematic as callers such as __block_write_begin_int() may end up requesting a read into a buffer that is not mapped. Consequently, the BUG_ON check for the BH_Mapped flag in submit_bh_wbc() would fail, leading to a potential kernel bug.

The Patch

The Linux kernel developers have released a patch to resolve this vulnerability, modifying the behavior in the nilfs2 code responsible for managing filesystems. The patch ensures that the nilfs_get_block() function returns a temporary error when an inconsistency in searching and inserting specified blocks is detected. This change effectively prevents the kernel bug and returns the system to a stable state.

Here's a code snippet showing the patched implementation of nilfs_get_block()

int nilfs_get_block(struct inode *inode, sector_t iblock,
         struct buffer_head *bh_result, int create)
{
    int err;

    err = nilfs_bmap_lookup(NILFS_I(inode)->i_bmap, iblock, &block); 
    if (err != -ENOENT)
        goto map;

    if (create) {
        err = nilfs_bmap_insert(NILFS_I(inode)->i_bmap, iblock, block); 
        if (err == -EEXIST)
            goto map;

        if (err == -ENOMEM || err == -EFSCORRUPTED)
            return err;

        /* Possible race condition */
        if (err)
            return -EAGAIN;

        set_buffer_new(bh_result);
    }
    return ;

map:
    if (!err) {
        map_bh(bh_result, inode->i_sb, block);
        bh_result->b_size = 1 << inode->i_blkbits;
    }
    return err;
}

For more information about this vulnerability and the patch, please refer to the following resources

1. Linux Kernel Mailing List (LKML) patch submission: https://www.spinics.net/lists/linux-nilfs/msg01618.html
2. Patch details on GitHub: https://github.com/torvalds/linux/commit/3364114
3. Technical explanation of the vulnerability: https://lore.kernel.org/r/20180531175422.1934583-1-am_slitwr@t-online.de

Conclusion

CVE-2024-26955 showcases that even the most reliable and widely-used operating systems such as Linux can still contain vulnerabilities. However, the Linux kernel development team remains vigilant in identifying, addressing, and resolving such issues promptly. Anyone using a Linux system should always keep their kernel up-to-date with the latest patches, ensuring the security and stability of their systems.

Timeline

Published on: 05/01/2024 06:15:11 UTC
Last modified on: 06/27/2024 13:15:57 UTC