In the Linux kernel, a critical vulnerability (CVE-2024-39482) has been resolved. The vulnerability was related to the bcache, which is used for caching data on Linux block devices. This blog post provides an overview of the vulnerability, code snippets, links to original references, and exploit details.
Vulnerability Overview
The vulnerability was present in the btree_iter implementation, which is an essential component for the bcache subsystem. btree_iter is used to iterate over the bcache metadata, specifically the btree nodes. Before the patch, the struct had a fixed-length array of size MAX_BSETS, which was indexed out-of-bounds for the dynamically-sized iterators. This would cause Uninitialized Behavior Sanitizer (UBSAN) to generate runtime error reports.
Here's the patch summary
bcache: fix variable length array abuse in btree_iter
btree_iter is used in two ways: either allocated on the stack with a
fixed size MAX_BSETS, or from a mempool with a dynamic size based on the
specific cache set. Previously, the struct had a fixed-length array of
size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized
iterators, which causes UBSAN to complain.
This patch uses the same approach as in bcachefs's sort_iter and splits
the iterator into a btree_iter with a flexible array member and a
btree_iter_stack which embeds a btree_iter as well as a fixed-length
data array.
Code Snippet
The following code snippet is an example of the fixed implementation with the introduction of btree_iter and btree_iter_stack:
struct btree_iter {
struct btree *btree;
struct btree_node_iter node_iter;
struct btree_node *node;
unsigned short level;
u8 idx;
};
struct btree_iter_stack {
struct btree_iter iter;
struct btree_ptr_data data[MAX_BSETS];
};
For more information on the original issue, refer to the following links
- Linux kernel mailing list post discussing the vulnerability: https://lore.kernel.org/linux-bcache/20210115235545.ea39a3dd6337.I882db5cc75f1ae142e44b41447db651d42a87e37@changeid/git-send-email-khughitt@ncoriolis.com/
- Patch submitted to the Linux kernel source code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ddc7bce8ae9921eb53eeaffd1078e882274f025
Exploit Details
The exploitability of this vulnerability is deemed low due to the fact that the bcache subsystem is not commonly used in most Linux distributions. Additionally, no known public exploits or proof-of-concepts are available at the time of writing.
However, if an attacker were to successfully exploit this vulnerability, it could lead to undefined behavior, potential denial of service, or information leaks. It is strongly recommended to patch this vulnerability as soon as possible by updating to the latest version of the Linux kernel.
Conclusion
CVE-2024-39482 demonstrates the importance of proper handling of variable length arrays in the Linux kernel to prevent potential security issues. By promptly addressing the vulnerability and applying the patch, Linux users can protect themselves from undefined behavior, denial of service, and information leaks.
Timeline
Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:18 UTC