CVE-2024-47743: Linux Kernel KEYS Vulnerability Resolved - Preventing NULL Pointer Dereference in find_asymmetric_key()

A critical vulnerability with identifier CVE-2024-47743 was discovered in the Linux kernel, specifically concerning the KEYS subsystem. This vulnerability could have allowed attackers to exploit a NULL pointer dereference flaw, leading to a crash of the system or potentially arbitrary code execution. Fortunately, the issue has now been patched, and this post aims to provide an overview of the vulnerability's details, along with code snippets and links to original references.

Description

In the Linux kernel, the function find_asymmetric_key() is responsible for locating an asymmetric crypto key based on a specified identifier. However, if the function is called with all NULL values passed to the id_{,1,2} arguments, the kernel first emits a warning but then encounters an oops as id_2 gets dereferenced regardless.

To address this issue, the missing id_2 check has been added, and the WARN_ON() macro has been moved to the final else branch to prevent duplicate NULL checks. This patch was discovered and submitted by the Linux Verification Center (linuxtesting.org), utilizing the Svace static analysis tool.

The following code snippet demonstrates the original flawed implementation of find_asymmetric_key()

struct key *find_asymmetric_key(struct key *keyring,
                                 const struct asymmetric_id *id_,
                                 const struct asymmetric_id *id_1,
                                 const struct asymmetric_id *id_2)
{
        WARN_ON(!id_ && !id_1 && !id_2);

        if (id_ && id_1 && id_2)
                return find_keyid_third(keyring, id_, id_1, id_2);
        else if (id_ && id_1)
                return find_keyid_second(keyring, id_, id_1);
        else if (id_ && id_2)
                return find_keyid_second(keyring, id_, id_2);
        else
                return find_keyid_first(keyring, id_2);
}

With the vulnerability now resolved, the updated and patched implementation is as follows

struct key *find_asymmetric_key(struct key *keyring,
                                 const struct asymmetric_id *id_,
                                 const struct asymmetric_id *id_1,
                                 const struct asymmetric_id *id_2)
{
        if (id_ && id_1 && id_2)
                return find_keyid_third(keyring, id_, id_1, id_2);
        else if (id_ && id_1)
                return find_keyid_second(keyring, id_, id_1);
        else if (id_ && id_2)
                return find_keyid_second(keyring, id_, id_2);
        else if (id_2)
                return find_keyid_first(keyring, id_2);
        else {
                WARN_ON(1);
                return NULL;
        }
}

Linux Verification Center (LVC) - [Linux Testing](www.linuxtesting.org)

2. The Svace Static Analysis Tool - Svace
3. Patch submission mailing list - Patchwork.kernel.org
4. National Vulnerability Database (NIST) - CVE-2024-47743

Exploit Details

As the issue has been resolved, exploiting this vulnerability is no longer possible in patched systems. However, unpatched systems may still be at risk of attackers triggering a NULL pointer dereference via maliciously crafted input to the find_asymmetric_key() function. It is strongly recommended for users to update their Linux kernel to the latest version to ensure protection against this and other possible vulnerabilities.

Timeline

Published on: 10/21/2024 13:15:04 UTC
Last modified on: 11/05/2024 09:49:49 UTC