CVE CyberSecurity Database News

CVE-2024-39478: Linux Kernel Vulnerability in crypto: starfive - Preventing Stack Buffer Freeing Mishaps

Poster -

In recent times, Linux kernel developers have been patching several vulnerabilities to fortify the security of systems running on Linux. A new issue labeled as CVE-2024-39478 has been discovered in the Linux kernel which, if exploited, could lead to undefined behavior in subsequent operations. This particular vulnerability exists in the 'crypto: starfive' subsystem of the Linux kernel.

In this post, we will delve into the details of the vulnerability, discuss the patch that has been introduced, and provide code snippets to better understand the issue and its resolution. We will also provide links to the original references for those who want to explore further.

Vulnerability Details

The vulnerability in question pertains to the handling of RSA text data. The RSA text data uses a variable-length buffer that is allocated in the software stack. When the kfree function is called to release this buffer, it results in undefined behavior in subsequent operations. This is because kfree should not be used to free stack-allocated memory.

Original References

The developers submitted the original patch to the Linux kernel mailing list, which you can find here: Linux kernel patch

The vulnerability and fix have been confirmed by the Kernel.org website: Linux kernel confirmation

Code Snippet - Before Patch

Let's examine a code snippet that demonstrates the problematic section in the Linux kernel before the patch was applied.

/* crypto: starfive - Do not free stack buffer */
static int star_rsa_decrypt(struct skcipher_request *req)
{
    ...
    kfree(req->data);
    ...
}

In the above code, kfree() is used to free the memory allocated for req->data, which is of variable length and resides in the software stack. This can lead to undefined behavior in subsequent operations.

Here's how the same function looks like after the patch, which resolves the vulnerability

/* crypto: starfive - Do not free stack buffer */
static int star_rsa_decrypt(struct skcipher_request *req)
{
    ...
    // Remove problematic kfree() call
    ...
}

As you can see, the kfree() call has been removed from the function, which guarantees that the stack buffer associated with req->data will not be freed erroneously. This prevents any potential issues in future operations.

Exploit Details

Although the exact steps to exploit this vulnerability are not publicly disclosed, it is crucial to mitigate the issue as an attacker with sufficient knowledge and access to a vulnerable system may try to manipulate the undefined behavior resulting from freeing the stack buffer.

Conclusion

The Linux kernel CVE-2024-39478 addresses a critical vulnerability in the 'crypto: starfive' subsystem. By removing an unnecessary kfree() call that attempted to release stack-allocated memory, the patch ensures that subsequent operations remain safe and secure. As Linux kernel developers continue to refine and improve the code base, it's essential for users and administrators to stay up-to-date with the latest security patches to maintain robust and secure systems.

Timeline

Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:13 UTC