CVE-2024-36978 - Linux Kernel Vulnerability in net: sched: sch_multiq: Resolved through OOB Write Fix in multiq_tune()

The Linux kernel is an essential part of any Linux-based operating system. However, like any complex piece of software, it is not immune to vulnerabilities that could be exploited by malicious actors. One such vulnerability, identified as CVE-2024-36978, has recently been resolved thanks to diligent developers who have taken steps to address the issue.

In this article, we will cover the details of this vulnerability, including the problematic code snippet and the steps that have been taken by the Linux kernel development team to mitigate the issue. You will learn about the original reference sources and links to further resources for understanding the related exploit.

Vulnerability Details

The vulnerability was discovered in the net/sched/sch_multiq.c component of the Linux kernel. The affected code, specifically, is located in the 'multiq_tune()' function. The issue arises from two possible out-of-bounds (OOB) write operations when the 'q->bands' and 'qopt->bands' quantities are assigned following a kmalloc operation.

Before the fix, the problematic code snippet appeared as follows

static int multiq_tune(struct Qdisc *sch, struct nlattr *opt,
                       struct netlink_ext_ack *extack)
{
    struct multiq_sched_data *q = qdisc_priv(sch);
    struct tc_multiq_qopt *qopt;
    ...

    qopt = nla_data(opt);
    if (qopt->bands > MULTIQ_MAX_BANDS || qopt->bands < 2)
        return -EINVAL;

    oldbands = q->bands;

    q->bands = qopt->bands;
    newbands = kmalloc(q->bands * sizeof(struct Qdisc *),
                       GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
    if (!newbands)
        return -ENOMEM;
    ...
}

Mitigation and Resolution

To address the vulnerability, the Linux kernel developers have changed the order of how 'q->bands' and 'qopt->bands' are handled and assigned so that the old 'q->bands' value is not utilized in the kmalloc operation. This modification ensures that the out-of-bounds write is prevented.

After the fix, the code appears as follows

static int multiq_tune(struct Qdisc *sch, struct nlattr *opt,
                       struct netlink_ext_ack *extack)
{
    struct multiq_sched_data *q = qdisc_priv(sch);
    struct tc_multiq_qopt *qopt;
    ...

    qopt = nla_data(opt);
    if (qopt->bands > MULTIQ_MAX_BANDS || qopt->bands < 2)
        return -EINVAL;

    oldbands = q->bands;

    newbands = kmalloc(qopt->bands * sizeof(struct Qdisc *),
                       GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
    if (!newbands)
        return -ENOMEM;

    q->bands = qopt->bands;
    ...
}

Original References

The resolution of this vulnerability has been documented in the official Linux kernel repository and mailing list where it was discovered and initially reported.

Git Commit (Linux Kernel Repository): link

Linux Kernel Mailing List: link

In conclusion, the CVE-2024-36978 vulnerability in the Linux kernel has been successfully resolved by developers. Understanding the details about this issue and the accompanying fix will serve as a valuable resource for Linux administrators and developers alike.

Through continuous attention to addressing exploitable vulnerabilities and keeping systems up-to-date, the open-source community demonstrates its commitment to secure and stable operating systems. Stay informed about potential security vulnerabilities in order to maintain a safe Linux environment.

Timeline

Published on: 06/19/2024 07:15:46 UTC
Last modified on: 08/19/2024 18:31:13 UTC