CVE-2024-36288 - Patched Vulnerability in the Linux Kernel: SUNRPC - Loop Termination Condition Fixed in gss_free_in_token_pages()

This post discusses a recently resolved vulnerability (CVE-2024-36288) in the Linux kernel, specifically within the SUNRPC component. During the authentication of RPC messages, this vulnerability arises due to an incorrect loop termination condition in the gss_free_in_token_pages() function. This bug could potentially result in memory corruption or crashes, which can be harmful to the system. Fortunately, this has been addressed and patched by the Linux community. Read on to learn more about the details of this vulnerability and how it has been fixed.

Details

The SUNRPC subsystem (Secure ONC-RPC) is an integral part of the Linux kernel and is responsible for providing secure remote procedure call (RPC) services. RPC is an important communication protocol that enables various programs to communicate with each other remotely across a network. With the use of SUNRPC, these communications are made secure through various authentication mechanisms.

The vulnerability arises in the gss_free_in_token_pages() function, which is used to release the allocated memory for the incoming token pages in the in_token->pages[] array. The issue involves the termination condition for the loop iterating through the array, as it is not NULL terminated. This can lead to a KASAN (Kernel Address Sanitizer) splat, potentially leading to memory corruption or system crashes.

Here is a code snippet demonstrating the change made to fix this vulnerability

// Old code
static void gss_free_in_token_pages(struct gss_in_token *in_token)
{
    int i;

    for (i = ; i < ARRAY_SIZE(in_token->pages) &&
                 in_token->pages[i]; i++) {
        put_page(in_token->pages[i]);
    }
}

// New code
static void gss_free_in_token_pages(struct gss_in_token *in_token)
{
    int i;

    for (i = ; i < in_token->count; i++) {
        put_page(in_token->pages[i]);
    }
}

As seen in the new code snippet, the loop termination condition has been changed to i < in_token->count, which fixes the issue by iterating only through the valid pages within the array.

Original References

1. Linux kernel patch commit: syzbot bug fix
2. Linux kernel mailing list describing the vulnerability: LWN article
3. More information about the Linux kernel and its vulnerabilities can be found on the Linux kernel's official website

Exploit Details

As of now, there are no known public exploits for this vulnerability (CVE-2024-36288). However, users running Linux systems should make sure to update their kernel to the latest version as a precautionary measure.

In summary, the CVE-2024-36288 vulnerability in the Linux kernel's SUNRPC subsystem has been identified and successfully patched. The incorrect loop termination condition in the gss_free_in_token_pages() function could have led to memory corruption or system crashes. By changing the termination condition to iterate only through valid pages in the array, this issue has been effectively addressed. Be sure to update your Linux kernel to the latest version to ensure that this vulnerability does not affect your system.

Timeline

Published on: 06/21/2024 12:15:10 UTC
Last modified on: 06/27/2024 13:15:59 UTC