CVE-2024-35944 - Linux Kernel Vulnerability Resolved: VMCI Fix for memcpy() Run-Time Warning in dg_dispatch_as_host()

The Linux kernel community has recently addressed a critical vulnerability in the Virtual Machine Communication Interface (VMCI) subsystem. This security flaw was reported in the "dg_dispatch_as_host()" function, where a run-time warning was detected while fuzzing with Syzkaller. The vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-35944.

[Original References]
- Linux Kernel Git Repository: vmci_datagram.c
- Syzkaller Bug Tracking: WARNING in dg_dispatch_as_host

Vulnerability Details

The issue was detected in the "dg_dispatch_as_host()" function of the drivers/misc/vmw_vmci/vmci_datagram.c file in the Linux kernel source code. The warning resulted from the "memcpy()" function being used to copy data across multiple members in a structure. This operation is discouraged under FORTIFY_SOURCE, as it could lead to potential security risks and undefined behavior.

Here is the problematic code snippet

544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)

memcpy(&dg_info->msg, dg, dg_size);

During fuzz testing with Syzkaller, it was found that the payload size could be set to a value that would cause the "memcpy()" operation to copy more bytes than intended, triggering a run-time warning:

memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

WARNING: CPU:  PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+x88e/xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

Copying the payload separately while ensuring the correct size is used.

This approach follows the recommended practice under FORTIFY_SOURCE and helps prevent potential buffer overflows or other security flaws related to improper memory copying.

Here's an example of how the code could be modified to fix the issue

// Assign the msg structure directly, avoiding memcpy
dg_info->msg = *dg;

// Copy the payload separately, ensuring the correct size is used
memcpy(dg_info->msg_payload, dg->payload, dg->payload_size);

By following the above approach, developers can ensure that the Linux kernel's VMCI subsystem is no longer vulnerable to this specific issue. It is crucial for Linux distributions and OS maintainers to apply the necessary patches and update their systems to mitigate any potential exploitation of this vulnerability.

Timeline

Published on: 05/19/2024 11:15:50 UTC
Last modified on: 06/27/2024 12:15:26 UTC