CVE-2024-42250: Linux Kernel Vulnerability Resolved in CacheFiles Polling

A recently discovered vulnerability (CVE-2024-42250) in the Linux kernel has been resolved, providing improved security for systems using the cachefiles filesystem caching mechanism. This post will discuss the details of the vulnerability, the solution provided, and how it can be applied to your system to ensure security.

Vulnerability Details

In the Linux kernel, the cachefiles implementation was found to lack proper lock protection when polling. This could lead to potential race conditions, as well as incorrect data access or modification. The issue arises due to the poll routine iterating over the xarray used by cachefiles, with only the RCU read lock held. This means that while the xarray itself is protected, the data structures stored in its slots (such as struct cachefiles_req) are not.

To illustrate this, consider the following code snippet from the original poll routine implementation:

/* Polling function for cachefiles */
static __poll_t cachefiles_poll(struct file *file, poll_table *wait)
{
        struct cachefiles_req *creq;
        int i;

        rcu_read_lock();

        for (i = ; i < CACHEFILES_POLL_NR_RADIX_TREE; i++) {
                rcu_read_unlock();
                ...
                rcu_read_lock();
        }

        rcu_read_unlock();
}

In this code, the rcu_read_lock() function is used to lock the xarray, but no additional lock is used to protect the data structures within the array, leading to the vulnerability.

Exploit Details

An attacker exploiting this vulnerability could potentially gain unauthorized access to information, modify it unexpectedly, or cause crashes within the kernel subsystem. The risk is escalated due to the potential for concurrent access and modification of shared data structures.

Solution

To resolve this vulnerability, a spinlock should be added to provide proper lock protection for the data structures within the xarray. The updated code snippet is as follows:

/* Polling function for cachefiles */
static __poll_t cachefiles_poll(struct file *file, poll_table *wait)
{
        struct cachefiles_req *creq;
        int i;

        rcu_read_lock();
        spin_lock(&cachefiles_lock);

        for (i = ; i < CACHEFILES_POLL_NR_RADIX_TREE; i++) {
                spin_unlock(&cachefiles_lock);
                ...
                spin_lock(&cachefiles_lock);
        }

        spin_unlock(&cachefiles_lock);
        rcu_read_unlock();
}

By including a spinlock, the data structures within the xarray are now protected from race conditions and unauthorized access or modification. This patch has been applied to the latest Linux kernel source and should be included in future distribution updates.

For more information on this vulnerability and the solution, you can refer to the following links

- CVE-2024-42250
- Linux Kernel Patch

Conclusion

By applying the provided patch, the Linux kernel vulnerability in the cachefiles polling mechanism is successfully resolved, ensuring a safer and more secure system. Be sure to keep your system up-to-date and patched to the latest kernel version to protect against potential exploits.

Timeline

Published on: 08/07/2024 16:15:47 UTC
Last modified on: 08/08/2024 20:55:19 UTC