CVE-2024-26993: Linux Kernel Vulnerability Fixed in sysfs_break_active_protection() Function

A recently identified vulnerability in the Linux kernel has been resolved. The vulnerability, CVE-2024-26993, affected the sysfs_break_active_protection() function and could lead to a reference leak due to a missing explicit kobject_put() call.

Exploit Details

The sysfs_break_active_protection() routine is susceptible to a reference leak in its error path. This occurs when the kernfs_find_and_get() call fails, resulting in the 'kn' variable being NULL. Consequently, the sysfs_unbreak_active_protection() routine won't be invoked, since invoking it would cause an access violation due to the attempt to dereference kn->parent.

The vulnerability result from the reference to 'kobj' not being released, as it is acquired at the start of the function but not explicitly released in the error path when 'kn' is NULL.

Code Snippet

static void sysfs_break_active_protection(struct sysfs_dirent *sd)
{
    struct kernfs_node *kn;
    struct kobject *kobj;

    kobj = kobject_get(&sd->s_attr.attr->kobj);
    if (!kobj)
        return;

    /* ... other code ... */

    kn = kernfs_find_and_get(kobj->sd, attr_name);
    if (!kn) {
        // Fix: Explicitly call kobject_put() when kn is NULL
        kobject_put(kobj);
        return;
    }

    /* ... other code ... */ 

    sysfs_unbreak_active_protection(kn);
}

Solution

To rectify the reference leak, an explicit kobject_put() call must be added when 'kn' is NULL. This allows the reference to 'kobj' to be accurately released, alleviating the likelihood of the vulnerability being exploited.

Additional Resources

The original commit that resolved this issue can be found in the Linux kernel source tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df8fd4781e79

Summary

In conclusion, the CVE-2024-26993 vulnerability in the Linux kernel, caused by a reference leak in the sysfs_break_active_protection() function, has been successfully resolved. By including an explicit kobject_put() call in the error path when 'kn' is NULL, the reference to 'kobj' can be correctly released, preventing potential exploitation of the vulnerability.

Timeline

Published on: 05/01/2024 06:15:17 UTC
Last modified on: 06/27/2024 13:15:57 UTC