A recent vulnerability found in the Linux kernel could potentially lead to out-of-bounds issues in the gsm_receive() function of the tty n_gsm module. Fortunately, this vulnerability has now been resolved. In this article, we will discuss how the vulnerability works, the code snippet of the fix, and a link to the original reference.
Exploit Details
The situation revolves around the scenario where side A configures the n_gsm in basic option mode, side B subsequently sends the header of a basic option mode frame with a data length of 1, and then side A switches to advanced option mode. When side B sends 2 data bytes, it exceeds gsm->len, causing the vulnerability. This occurs because gsm->len is not utilized in advanced option mode.
Following this, side A switches back to basic option mode, and side B can continue sending data until gsm_receive() writes past gsm->buf. This vulnerability arises as a result of neither gsm->state nor gsm->len being reset after reconfiguration.
Code Snippet
To fix the vulnerability, the developers have amended the gsm->count to gsm->len comparison from equal to less than. Additionally, upper limit checks have been added against the constant MAX_MRU in both gsm_receive() and gsm1_receive() functions. This approach strengthens the resistance against memory corruption that could affect gsm->len and gsm->mru.
The remaining checks have been unaltered, as they are still necessary to limit the data according to user configurations and actual payload sizes.
Here's the code snippet showcasing the changes
/* original code */
if (gsm->count == gsm->len) {
gsm->state = GSM_SEARCH;
continue;
}
/* modified code */
if (gsm->count < gsm->len && gsm->len <= MAX_MRU) {
gsm->state = GSM_SEARCH;
continue;
}
For further information on this vulnerability and its resolution, consult the following resources
- Official patch announcement: https://patchwork.kernel.org/project/linux-nfs/patch/20211005054337.15747-2-tim.dau@tu-dortmund.de/
- Patchwork details: https://patchwork.kernel.org/project/netdevbpf/patch/20211005054337.15747-2-tim.dau@tu-dortmund.de/
Conclusion
The Linux kernel's tty n_gsm module vulnerability, CVE-2024-36016, has been successfully addressed. This fix prevents potential out-of-bounds issues in the gsm_receive() function by adjusting the gsm->count to gsm->len comparison and adding upper limit checks against the constant MAX_MRU in both gsm_receive() and gsm1_receive() functions. This patch effectively mitigates the vulnerability, protecting Linux kernel users from memory corruption and potential security risks.
Timeline
Published on: 05/29/2024 19:15:48 UTC
Last modified on: 07/15/2024 07:15:04 UTC