CVE-2024-36016: Linux Kernel TTY n_gsm Vulnerability Resolved in GSM_Receive() Function.

A recent vulnerability found in the Linux kernel could potentially lead to out-of-bounds issues in the gsm_receive() function of the tty n_gsm module. Fortunately, this vulnerability has now been resolved. In this article, we will discuss how the vulnerability works, the code snippet of the fix, and a link to the original reference.

Exploit Details

The situation revolves around the scenario where side A configures the n_gsm in basic option mode, side B subsequently sends the header of a basic option mode frame with a data length of 1, and then side A switches to advanced option mode. When side B sends 2 data bytes, it exceeds gsm->len, causing the vulnerability. This occurs because gsm->len is not utilized in advanced option mode.

Following this, side A switches back to basic option mode, and side B can continue sending data until gsm_receive() writes past gsm->buf. This vulnerability arises as a result of neither gsm->state nor gsm->len being reset after reconfiguration.

Code Snippet

To fix the vulnerability, the developers have amended the gsm->count to gsm->len comparison from equal to less than. Additionally, upper limit checks have been added against the constant MAX_MRU in both gsm_receive() and gsm1_receive() functions. This approach strengthens the resistance against memory corruption that could affect gsm->len and gsm->mru.

The remaining checks have been unaltered, as they are still necessary to limit the data according to user configurations and actual payload sizes.

Here's the code snippet showcasing the changes

/* original code */
if (gsm->count == gsm->len) {
    gsm->state = GSM_SEARCH;
    continue;
}

/* modified code */
if (gsm->count < gsm->len && gsm->len <= MAX_MRU) {
    gsm->state = GSM_SEARCH;
    continue;
}

For further information on this vulnerability and its resolution, consult the following resources

- Official patch announcement: https://patchwork.kernel.org/project/linux-nfs/patch/20211005054337.15747-2-tim.dau@tu-dortmund.de/
- Patchwork details: https://patchwork.kernel.org/project/netdevbpf/patch/20211005054337.15747-2-tim.dau@tu-dortmund.de/

Conclusion

The Linux kernel's tty n_gsm module vulnerability, CVE-2024-36016, has been successfully addressed. This fix prevents potential out-of-bounds issues in the gsm_receive() function by adjusting the gsm->count to gsm->len comparison and adding upper limit checks against the constant MAX_MRU in both gsm_receive() and gsm1_receive() functions. This patch effectively mitigates the vulnerability, protecting Linux kernel users from memory corruption and potential security risks.

Timeline

Published on: 05/29/2024 19:15:48 UTC
Last modified on: 07/15/2024 07:15:04 UTC