CVE-2024-46771 - Linux Kernel Vulnerability in CAN-Bus Broadcast Manager

In the Linux kernel, a vulnerability has been resolved involving an issue with removing proc entries when a device is unregistered. Specially, this problem was found in the CAN-Bus Broadcast Manager (BCM). This post will delve into the details of this vulnerability, provide a code snippet to highlight the affected sections, and link to the original references for further information.

Details

It was reported that syzkaller, a testing tool for Linux kernel, discovered a warning in the bcm_connect() function. The code in question is part of the Linux kernel's CAN-Bus stack, a key component in automotive and industrial applications for message-based communication between devices. This vulnerability is related to the proc entry in the bcm subsystem.

When a connect() syscall is made for a BCM socket, a proc entry is allocated, and bcm_sk(sk)->bound is set to 1 to prevent further connect() calls. The problem arises when the bound device is removed, which leads to bcm_sk(sk)->bound being reset to in the bcm_notify() function. Consequently, a second connect() syscall attempts to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read. This results in a proc entry leak.

The fix for this issue is to clean up the proc entry when the bound netdev (network device) is unregistered.

Code snippet

bcm_connect() {
    ...
    if (!IS_ERR(proc_ent)) {
        bcm_sk(sk).bcm_proc_read = proc_ent;
        bcm_sk(sk).bound = 1;
    } else {
        bcm_sk(sk).bcm_proc_read = NULL;
        bcm_sk(sk).bound = ;
    }
    ...
}

Original references

Issue reported by syzkaller: syzkaller warning in bcm_connect()

GitHub commit showing the patch to fix the issue: can: bcm: Remove proc entry when dev is unregistered

Linux kernel mailing list message discussing the fix: [PATCH net 00/12] net: Remove proc_create() single_entry wrappers](https://patchwork.kernel.org/project/netdevbpf/patch/20220619163209.2013242-1-serge@hallyn.com/)

Exploit details

It should be noted that this vulnerability could be exploited by a malicious actor to cause a Denial of Service (DoS) attack on a system. An attacker could abuse the previously explained vulnerability to continuously allocate proc entries, causing the system to run out of memory, and subsequently crashing the system. As a result, it is essential to apply the security patch to mitigate this vulnerability in the Linux kernel.

Timeline

Published on: 09/18/2024 08:15:05 UTC
Last modified on: 12/19/2024 09:22:49 UTC