A recently discovered vulnerability in the Linux kernel, specifically in the module "mm: vmalloc," has been resolved. This vulnerability -- tracked as CVE-2024-46847 -- could have led to out-of-bounds access due to uninitialized data in the 'vmap_block' structure. This blog post will provide an overview of the vulnerability, share a code snippet of the fix, and direct you to the original references for further details.

Vulnerability Details

The issue revolves around a data structure called 'vmap_block,' which was extended in commit 8c61291fd850 to contain a 'cpu' field initialized at allocation time. The problem occurred when the 'vmap_block' was instantiated by new_vmap_block(), where the partially initialized structure was added to the local 'vmap_block_queue' xarray before the 'cpu' field had been initialized.

As a result, if another CPU was concurrently walking the xarray (e.g., via vm_unmap_aliases()), it could perform an out-of-bounds access to the remote queue due to an uninitialized index. This issue was observed as UBSAN errors in the Android operating system.

The Code Fix

In order to fix this issue, the initialization of 'vb->cpu' in the new_vmap_block() function was moved ahead of the addition to the xarray, as shown in the code snippet below:

/* mm/vmalloc.c: new_vmap_block() */

...
vb->first_free = -1;
INIT_HLIST_HEAD(&vb->free_head);
vb->cpu = smp_processor_id();

ret = xa_err(xa_store_irq(&vbq->array, vb->vaddr >> VB_SHIFT,
              vb, GFP_KERNEL));
if (!ret)
     goto err;
...

Original References

1. Linux kernel source code commit that fixed the issue
2. Linux kernel mailing list discussion on the patch

In conclusion, CVE-2024-46847 was a vulnerability in the Linux kernel's mm: vmalloc module that could have led to out-of-bounds access due to uninitialized data in the 'vmap_block' structure. The issue has since been resolved with a code fix that ensures the proper initialization of the 'cpu' field in the 'vmap_block' structure before adding it to the 'vmap_block_queue' xarray. We encourage all Linux kernel users to ensure they are using an updated version of the kernel with the patch applied to avoid potential exploitation of this vulnerability.

Timeline

Published on: 09/27/2024 13:15:16 UTC
Last modified on: 11/05/2024 09:47:45 UTC