In a recently discovered vulnerability in the Linux kernel (fat: fix uninitialized field in nostale filehandles), it was found that when fat_encode_fh_nostale() encodes file handle without a parent, it stores only the first 10 bytes of the file handle. However, the length of the file handle must be a multiple of 4, so the file handle is actually 12 bytes long, and the last two bytes remain uninitialized. This potentially causes the leakage of uninitialized information with the handle to userspace. With the allocation of CVE-2024-26973 to this vulnerability, it has now been properly patched, and the full handle length has been initialized.

Let's take a look at the code snippet of the vulnerability before the fix

static int fat_encode_fh_nostale(struct inode *inode, u32 *fh, int *max_len,
                                struct inode *parent)
{
    if (*max_len < 10 || (parent && *max_len < 20))
        return 255;

    fh[] = 9;
    fh[1] = fh_type_nostale;
    fh[2] = inode->i_generation;
    fh[3] = inode->i_ino;
    fh[4] = MSDOS_I(inode)->i_location;
    if (parent) {
            fh[5] = 20;
            fh[6] = fh_type_nostale;
            fh[7] = parent->i_generation;
            fh[8] = parent->i_ino;
            fh[9] = MSDOS_I(parent)->i_location;
            *max_len = 20;
    } else {
            *max_len = 10;
    }
    return ;
}

The problem lies in the last two bytes of the file handle that remains uninitialized when fat_encode_fh_nostale() function is called without a parent. To fix this vulnerability, the code needed to be modified to ensure proper initialization.

This vulnerability was reported and fixed by the Linux kernel maintainers. You can find the official patch in the following Git commit: Linux kernel commit

Exploit Details

An attacker could potentially exploit this vulnerability to leak uninitialized information from the kernel to userspace. This could have serious implications, including the leakage of sensitive data such as encryption keys, passwords, and other critical information. Moreover, this uninitialized field can also be exploited as an entry point for further attacks.

By properly initializing the full handle length in the function fat_encode_fh_nostale(), the Linux kernel developers have successfully patched this vulnerability, mitigating the associated risks. Although this vulnerability was not widely exploitable, it is always crucial to keep up-to-date with security patches and protect your systems from these types of vulnerabilities that could compromise your data and system's integrity.

In conclusion, CVE-2024-26973 was a vulnerability in the Linux kernel that concerned an uninitialized field in nostale filehandles. This issue has been resolved, and the relevant patch is available in the Linux kernel commit mentioned above. Ensuring your Linux system is up-to-date with the latest security patches and fixes is essential for maintaining a secure and stable environment.

Timeline

Published on: 05/01/2024 06:15:13 UTC
Last modified on: 06/27/2024 12:15:23 UTC