CVE-2024-26981 - An overview of nilfs2 OOB Vulnerability Fix in Linux Kernel

In the Linux kernel, a recently discovered vulnerability, tagged as CVE-2024-26981, has brought attention to a potential weakness in the handling of the nilfs2 filesystem. The issue, which involves an out-of-bounds (OOB) error in the nilfs_set_de_type function, has now been resolved. This post will provide a comprehensive exploration of the vulnerability, the associated patch, and various links to original references for those who want to dive deeper into the details.

The vulnerability is specifically related to the nilfs_set_de_type function, which can be found in the fs/nilfs2/dir.c file of the Linux kernel source code. The function is designed to deal with types of directories within the nilfs2 file system. The issue stems from the size definition of the nilfs_type_by_mode array and the subsequent use of the array's index in the nilfs_set_de_type function. The size of the nilfs_type_by_mode array is defined as "S_IFMT >> S_SHIFT"; however, the function reads from the array using an index determined by "(mode & S_IFMT) >> S_SHIFT".

The original code snippet, which exhibits the OOB issue, looks like this

static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode)
{
    umode_t mode = inode->i_mode;
    
    de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
}

The problem arises when the index calculation results in a value that is 1 greater than the size of the nilfs_type_by_mode array. This occurs when the condition "mode & S_IFMT == S_IFMT" is met, leading to an OOB error when attempting to access the array.

To address the vulnerability, a patch has been proposed that resizes the nilfs_type_by_mode array to prevent the OOB error. The revised code snippet now looks like this:

static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode *inode)
{
    umode_t mode = inode->i_mode;
    
    /* New array size to prevent OOB error */
    uint8_t nilfs_type_by_mode_new[S_IFMT >> S_SHIFT + 1];

    de->file_type = nilfs_type_by_mode_new[(mode & S_IFMT)>>S_SHIFT];
}

By applying the above patch, the potential for OOB errors is eliminated, effectively resolving the CVE-2024-26981 vulnerability.

For further information on the vulnerability and the patch implementation, you can refer to the following resources:

1. Linux kernel source code
2. nilfs2 official documentation
3. Original patch announcement
4. CVE-2024-26981 entry in MITRE database

In conclusion, while the CVE-2024-26981 vulnerability highlights the need for constant vigilance when it comes to the handling of filesystems within the Linux kernel, the swift resolution of this issue underscores the commitment of the open-source community to maintaining the security and stability of the Linux operating system. With the patch now available for inclusion in future kernel updates, administrators and users alike can be assured that the OOB error has been addressed effectively.

Timeline

Published on: 05/01/2024 06:15:15 UTC
Last modified on: 06/27/2024 12:15:23 UTC