CVE-2024-42079 - Resolving NULL Pointer Dereference in GFS2 Log Flush within the Linux Kernel

In the Linux kernel, the GFS2 (Global File System 2) implementation contains a vulnerability that can lead to a NULL pointer dereference if outstanding glock work races with an unmount operation. CVE-2024-42079 has been assigned to this particular issue, which is related to the gfs2_log_flush() function. This post aims to provide a brief overview of the vulnerability, its resolution, and share relevant code snippets along with references to the original sources.

Description of the vulnerability

When the GFS2 file system is being used in a Linux environment, the gfs2_log_flush() function is responsible for flushing the journal to disk. However, it was discovered that if sdp->sd_jdesc is NULL, a NULL pointer dereference could occur when glock work races with an unmount operation. This can happen in the following sequence of events:

glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush

Resolution

To fix this vulnerability, two changes have been made in the code. Firstly, in the gfs2_jindex_free() function, sdp->sd_jdesc has been set to NULL under the log flush lock. This provides the necessary exclusion against gfs2_log_flush(). Secondly, in the gfs2_log_flush() function itself, a check has been added to verify if sdp->sd_jdesc is non-NULL before dereferencing it.

Here is the code snippet that demonstrates the changes made to resolve the vulnerability

/* In gfs2_jindex_free() function */
spin_lock(&sdp->sd_log_flush_lock);
list_del(&jd->extent_list);
sdp->sd_jdesc = NULL;
spin_unlock(&sdp->sd_log_flush_lock);

/* In gfs2_log_flush() function */
spin_lock(&sdp->sd_log_flush_lock);
if (sdp->sd_jdesc) {
    spin_unlock(&sdp->sd_log_flush_lock);
    /* Rest of the function execution continues */
} else {
    spin_unlock(&sdp->sd_log_flush_lock);
    return;
}

These changes ensure that the dereference does not occur when sdp->sd_jdesc is NULL, thereby preventing the NULL pointer dereference vulnerability.

References

For further information about the CVE-2024-42079 vulnerability and its resolution, please refer to the following sources:

1. Linux Kernel Mailing List (LKML) - Patch submitted for the vulnerability
2. National Vulnerability Database (NVD) - CVE-2024-42079
3. Linux Kernel Source Code Repository
4. GFS2 Documentation

Exploit Details

While there are no known exploits for this specific vulnerability at this time, it is essential to keep your Linux kernel updated with the latest security patches to ensure the safety and stability of your operating system. By implementing the code changes mentioned above, you can prevent potential NULL pointer dereference issues arising from the racing conditions between glock work and unmount operations in GFS2.

Timeline

Published on: 07/29/2024 16:15:07 UTC
Last modified on: 08/02/2024 04:54:31 UTC