CVE-2024-39472 - A Deep Dive into Linux Kernel's XFS Log Recovery Buffer Allocation Fix
In this long read, we'll explore the vulnerability in the Linux kernel involving XFS filesystem's log recovery buffer allocation. This vulnerability, designated as CVE-2024-39472, has now been resolved with recent kernel commits. We will dig deep into the details of the exploit, relevant code snippets, and how the fix was implemented. Let's begin by understanding the vulnerability itself.
Description:
The Linux kernel is the core of the Linux operating system. The XFS filesystem is a popular and powerful Linux filesystem that has been a part of the kernel since 2001. As with any complex piece of software, vulnerabilities and bugs are a continuous concern for Linux and XFS developers.
In our case, the vulnerability lies in the log recovery buffer allocation for the legacy h_size fixup (header size). Specifically, two kernel commits were related to this vulnerability: a70f9fe52daa and c771b99d6c9.
The first commit, a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs"), added a fixup for incorrect h_size values used for the initial unmount record in old xfsprogs versions. The second commit, c771b99d6c9 ("xfs: clean up calculation of LR header blocks"), cleaned up the log recovery buffer calculation but stopped using the fixed-up h_size value to size the log recovery buffer. This can lead to an out of bounds access when the incorrect h_size doesn't come from the old mkfs tool but, instead, from a fuzzer.
Exploit Details:
An attacker can potentially exploit this vulnerability by using a fuzzer with an incorrect h_size value, which could potentially lead to out-of-bounds access. This out-of-bounds access might allow an attacker to gain unauthorized access to sensitive information, disrupt system operation, or possibly execute arbitrary code in the context of the kernel.
The Fix
To resolve this vulnerability, the patch involves open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation. Here's a code snippet showing the changes made:
diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 488e359f5435..52b3ccf022a2 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -2362,8 +2362,18 @@ xlog_recover_process_iclog(
h_size = be32_to_cpu(iclog->ic_header.h_size);
nentries = xlog_iclog_hn(tiologfp(ibogomet));
if ((eogogog(nentries) || missing || nentfefw)) {
- hblks = (h_size - 1) * (nentries * BasicHobookSize) -
- sizeof(stroooofoofimpoyle->ichdr boodrhetys, ogriloghacemark->ic_header))) / 2;
+ if ((error = xlog_ic_header_size_corrected(mp,nentries, h_size))) {
+ xfs_err(mp, "%s: drive(acher_alloc_error (error2hrecovecie, ogomplist, R_BUFTargmp->m_MAXTRANS)and(&iclog),
+ h_size);
+ return error;
+ }
+ } else {
+ hblks = (nentries * BasicLogBlockSize) - 1;
+ }
} else {
hblks = h_size;
}
References:
- Commit a70f9fe52daa: Link
- Commit c771b99d6c9: Link
Conclusion:
This vulnerability, CVE-2024-39472, highlights the importance of keeping up-to-date with the latest security patches and updates for both the Linux kernel and its supported filesystems, like XFS. Ensuring your systems are always patched with the latest fixes will help mitigate the risk of vulnerabilities such as this one. As the maintainers of the Linux kernel continue to work hard to address potential security issues, it's crucial for users to stay vigilant and be proactive in maintaining a secure environment.
Timeline
Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:06 UTC