A new vulnerability (CVE-2024-36481) has been identified and fixed in the Linux kernel. It is associated with the 'tracing/probes' module and specifically relates to the error checking functionality in the parse_btf_field() function. The error stemmed from an incorrect usage of btf_find_struct_member(), which could lead to undefined behavior and security issues. This post will cover the details of this vulnerability, the corrected code snippet, and links to various resources related to it.

Vulnerability Details

In the Linux kernel tracing/probes subsystem, an error check issue was identified in the parse_btf_field() function. The problem was related to how the function processed the return value of btf_find_struct_member().

The btf_find_struct_member() function is used to find a specific structure member and might return either NULL or an error using the ERR_PTR() macro. However, the parse_btf_field() was only checking for NULL conditions. Consequently, if the btf_find_struct_member() function returned an error, it could cause undefined behavior, which could lead to various security issues like crashes or data leaks.

Originally, this piece of code in the parse_btf_field() function was causing the issue

member = btf_find_struct_member(btf, field, type_id, &bit_offset);
if (!member) {
    pr_info("Failed to find member '%s' in BTF '%s'\n", field, search->btf_name);
    return NULL;
}

As stated above, the check for the error condition was not being performed correctly. The following code snippet has the issue fixed:

member = btf_find_struct_member(btf, field, type_id, &bit_offset);
if (IS_ERR(member)) {
    pr_info("Failed to find member '%s' in BTF '%s'\n", field, search->btf_name);
    return ERR_CAST(member);
}

As you can see, the code has been updated to correctly handle the return value using the IS_ERR() check and returning the error up the stack by utilizing the ERR_CAST() macro.

References

- Linux kernel source code - parse_btf_field() function: https://github.com/torvalds/linux/blob/master/kernel/trace/bpf_trace.c
- Original patch addressing the issue: https://lore.kernel.org/lkml/20220221105444.37288-1-oleksandr@natalenko.name/

Exploit Details

Fortunately, to the best of our knowledge, no known exploits have been reported as of now. However, it is worth noting that the Linux kernel is a high-value target for threat actors. As a result, it is vital for organizations and developers to regularly update their Linux kernel and follow the latest security updates and patches.

Conclusion

The vulnerability discussed in this post, CVE-2024-36481, resulted from an error check issue in the parse_btf_field() function of the Linux kernel tracing/probes subsystem. This issue has been resolved with the updated code snippet presented above. It is important for Linux kernel users to stay informed about new developments, vulnerabilities, and patches in order to maintain the security of their systems and networks.

Timeline

Published on: 06/21/2024 12:15:11 UTC
Last modified on: 06/24/2024 18:35:33 UTC