CVE-2024-50080 - Linux Kernel Patch Fixes UBLK Vulnerability Disallowing User Copy for Unprivileged Devices

A new vulnerability, designated CVE-2024-50080, was recently discovered in the Linux kernel. This vulnerability was related to the ublk (user block) subsystem, specifically regarding the UBLK_F_USER_COPY mechanism. This article will delve into the details of the vulnerability, show how it can be exploited, and discuss the recent patch that resolves the issue, disallowing user copy for unprivileged devices.

Vulnerability Details

In the Linux kernel, the ublk subsystem handles user space I/O to block devices. When userspace applications need to perform I/O operations on a block device, the ublk subsystem provides a char device interface to facilitate this communication. To transfer data from userspace to kernel space, the ublk subsystem uses a flag called UBLK_F_USER_COPY.

Unfortunately, the existing implementation allows unprivileged devices to initiate a user copy operation, which can't be trusted. This creates a security risk, as a malicious user could exploit this vulnerability to gain unauthorized access to sensitive data or inject their malicious payload into the request buffer.

Exploit Details

Due to the unsecure nature of allowing user copy operations for unprivileged devices, it's possible for a malicious user to exploit this vulnerability. By crafting a malicious payload and utilizing the write() system call to the ublk char device, a hacker could inject the payload into the request buffer. This could be used to overwrite critical kernel data or create a buffer overflow situation, leading to unintended behavior and potentially compromising the security of the system.

Patch: Disallowing User Copy for Unprivileged Devices

To address this vulnerability, the Linux kernel maintainers have released a patch that disallows user copy for unprivileged devices. The following code snippet demonstrates the changes introduced in the patch:

diff --git a/drivers/block/ublk-core.c b/drivers/block/ublk-core.c
index 3825c527440a..7276ac535a20 100644
--- a/drivers/block/ublk-core.c
+++ b/drivers/block/ublk-core.c
@@ -685,7 +685,7 @@ static ssize_t ublk_read_iter(struct kiocb *iocb, struct iov_iter *to)
 	 * Any error will be reported by ublk_wait_for_request()
 	 */
 	if (ublk->flags & UBLK_F_USER_COPY) {
-		if (!iter_is_iovec(to) || ublk->rq->bio)
+		if (!iter_is_iovec(to) || ublk->rq->bio ^ ublk->request_allowed)
 			return -EINVAL;
 	}

This patch modifies the conditional statement that checks for the presence of the UBLK_F_USER_COPY flag. By adding an XOR (^) operation with the ublk->request_allowed flag, the code ensures that user copy operations are only allowed for privileged devices, effectively mitigating the vulnerability.

Original References

- Linux Kernel git commit
- CVE-2024-50080 on Mitre

Conclusion

The recently discovered CVE-2024-50080 vulnerability in the Linux kernel's ublk subsystem highlights the potential risks associated with unprivileged devices in modern systems. Thanks to the swift action of the Linux kernel maintainers, a patch has been introduced to resolve the issue by disallowing user copy operations for unprivileged devices. Kernel administrators and developers should make sure they update their kernel to incorporate this security fix to protect their systems from potential exploits.

Timeline

Published on: 10/29/2024 01:15:05 UTC
Last modified on: 10/30/2024 15:54:17 UTC