CVE-2024-44992: Resolving a Linux Kernel Vulnerability in smb/client - NULL Dereference in cifs_free_subrequest()

In the Linux kernel, the following vulnerability has been resolved: smb/client: avoid possible NULL dereference in cifs_free_subrequest(). This blog post will provide a detailed overview of the vulnerability, a code snippet demonstrating the fix, links to original references, and exploit details.

Vulnerability Overview

The cifs_free_subrequest() function is a part of the smb/client, which is used in the Linux kernel for handling CIFS/SMB protocol operations. The vulnerability occurs when access to the field 'ops' leads to a dereference of a null pointer, as reported by the Clang static checker (scan-build) at cifsglob.h:line 890, column 3.

This warning by Clang was introduced after the commit 519be989717c ("cifs: Add a tracepoint to track credits involved in R/W requests"), which added a check for 'rdata->server'. If 'rdata->credits.value != && rdata->server == NULL', the function 'add_credits_and_wake_if()' will call 'rdata->server->ops->add_credits()', leading to a NULL dereference problem.

Code Snippet of the Fix

To fix this vulnerability, a check for 'rdata->server' was added to avoid the NULL dereference issue. The following code snippet demonstrates the change:

void cifs_free_subrequest(struct cifs_rdata *rdata)
{
	if (rdata->credits.value) {
		if (rdata->server)
			add_credits_and_wake_if(rdata->server, &rdata->credits);
		else
			trace_smb_no_server_conn(rdata->sess->Suid);
	}

	if (rdata->pages && rdata->mr->type == BIO_RDATA) {
		int i;

		for (i = ; i < rdata->npages; i++)
			put_page(rdata->pages[i]);
		kfree(rdata->pages);
	}

	kfree(rdata);
}

In the above code snippet, the added line 'if (rdata->server)' includes the necessary check to avoid the NULL dereference vulnerability by ensuring the server pointer is not NULL before calling 'add_credits_and_wake_if()'.

Links to Original References

For those interested in diving deeper into the technical details of this vulnerability and its resolution, here are some essential links:

1. Linux kernel patch submission - includes detailed explanation and patch submission.
2. Linux kernel git commit - commit details and difference view.

Exploit Details

As for exploiting this vulnerability, it may require specific conditions that make it difficult to reproduce and exploit consistently. However, attackers who manage to exploit the NULL dereference vulnerability could potentially cause a system crash, leading to denial of service (DoS) attacks.

In conclusion, the CVE-2024-44992 vulnerability in the Linux kernel's small/client component could result in a NULL dereference problem. By adding an appropriate check for 'rdata->server', the Linux kernel developers have efficiently addressed the issue. Users are encouraged to ensure their Linux kernel is up-to-date and patched against this vulnerability to protect their systems against potential attacks.

Timeline

Published on: 09/04/2024 20:15:08 UTC
Last modified on: 09/06/2024 16:29:28 UTC