CVE-2024-50062 - RDMA/rtrs-srv: Avoid Null Pointer Deref During Path Establishment in Linux Kernel

In the Linux kernel, a vulnerability has been identified and resolved that could potentially lead to a null pointer dereference situation. This article discusses the details of the vulnerability, its impact, and the resolution provided for it. It also includes links to the original references and code snippets to understand it better.

Vulnerability Description

The vulnerability (CVE-2024-50062) resides in the RDMA/rtrs-srv subsystem of the Linux kernel. It specifically occurs during the path establishment process between a Remote Direct Memory Access (RDMA) client and an RDMA Reliable Transport Service (RTRS) server. During the establishment of the connections, there's a possibility of a null pointer dereference if certain error conditions are not appropriately handled, leading to potential crashes or other anomalous behavior.

Exploit Details

The exploitation of this vulnerability is triggered by the RTRS path establishment process. During this process, the RTRS client initiates and completes a predefined number of connections (referred to as con_num). Once all connections are established, the client and server exchange information through an info_req message.

However, if an error occurs and all connections have not been established, the RTRS server may still attempt to process the info_req message. This can lead to a null pointer dereference, as the server may try to access a resource that is still uninitialized or unavailable.

To better understand the issue, let's take a look at the code snippet below

// Establish connections for all servers
for (i = ; i < con_num; i++) {
    // Establish a connection
    // ...

    if (error) {
        // Handle the error
        // ...
    }

    // Continue to the next server
}

In this code snippet, the RTRS client iterates over all connections, attempting to establish them. If an error occurs, the error is handled, but the client may still attempt to process the info_req message, even if all connections have not been established.

Solution

To address this vulnerability, additional sanity checks are added to ensure that the server detects and aborts the path establishment process in case of an error. These checks make sure that all connections have been established and that the state of the RTRS server path is CONNECTED.

Here's an updated code snippet that demonstrates the added sanity checks

// Establish connections for all servers
for (i = ; i < con_num; i++) {
    // Establish a connection
    // ...

    if (error) {
        // Handle the error
        // ...
        return -1;  // Abort path establishment process
    }

    // Continue to the next server
}

if (state != CONNECTED) {
    // Abort path establishment process
    return -1;
}

This code ensures that if an error occurs during the path establishment process, the client immediately aborts the process, preventing the null pointer dereference situation.

Original References

For more information on this vulnerability and its resolution, consult the following original references:

- Official Linux Kernel Mailing List patch announcement
- CVE-2024-50062 Official CVE Record

This vulnerability and its subsequent resolution demonstrate the importance of carefully handling edge cases and error scenarios in software development, especially in critical systems like the Linux kernel. By applying the appropriate sanity checks and error handling code, developers can prevent issues like null pointer dereferences and ensure the overall stability and security of their software.

Timeline

Published on: 10/21/2024 20:15:18 UTC
Last modified on: 10/23/2024 21:48:57 UTC