A new vulnerability, CVE-2024-42084, has been resolved in the Linux kernel, specifically involving the ftruncate() syscall. This vulnerability stems from an issue where a signed offset is passed when incompatibility mode on 64-bit architectures. As a result, passing a negative length accidentally succeeds in truncating the file size between 2GiB and 4GiB. This post will discuss the details of the exploit and provide relevant code examples.
Details
The ftruncate() syscall, which is utilized to resize a file to a specified length, contains an unnoticed sign extension when called in compatibility mode on 64-bit architectures. The issue lies with the old ftruncate() syscall using the 32-bit off_t. By passing a negative length, the operation unintentionally truncates the file size to between 2GiB and 4GiB.
The following code snippet demonstrates the issue
SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length)
{
return ksys_ftruncate(fd, length);
}
Change this to the following to correctly utilize the signed compat_off_t
SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_off_t, length)
{
return ksys_ftruncate(fd, (__kernel_off_t)length);
}
By changing the type of the compatibility syscall to the signed compat_off_t, the syscall now returns -EINVAL instead of inadvertently truncating file sizes.
It is important to note that this issue does not affect the native entry point, the truncate() syscall, or other loff_t-based variants, as they use the correct signed type and are not vulnerable to this mistake.
This vulnerability has been documented and patch details can be accessed through the following links
1. Linux kernel Git repository commit
2. Patch submitted to the LKML
Conclusion
The resolved CVE-2024-42084 vulnerability in the Linux kernel highlights an error in the ftruncate() syscall when used in compatibility mode on 64-bit architectures. This issue could lead to unintended file truncation, as passing a negative length will cause the file size to truncate between 2GiB and 4GiB. By updating the syscall to use the signed compat_off_t, the vulnerability is mitigated and the syscall will return -EINVAL instead. Those using the Linux kernel should ensure their version includes the necessary changes to maintain a secure environment.
Timeline
Published on: 07/29/2024 17:15:11 UTC
Last modified on: 12/19/2024 09:12:26 UTC