CVE-2024-50087: Linux Kernel Vulnerability Resolved: btrfs Uninitialized Pointer Free on read_alloc_one_name() Error

In the Linux kernel, a recent vulnerability involving the btrfs filesystem has reached a resolution. This vulnerability, identified as CVE-2024-50087, was observed in the read_alloc_one_name() function. In this long-read post, we will be discussing the details of the issue, examining the code snippet, and providing links to original references and information about the exploit.

The Vulnerability

The btrfs filesystem in the Linux kernel includes a function known as read_alloc_one_name(). In the presence of a kmalloc allocation failure, this function fails to initialize the 'name' field of the fscrypt_str struct. As a result, it is not guaranteed that fscrypt_str.name will initialize when it's time to free it. This vulnerability was introduced in commit e43eec81c516, which aimed to use struct qstr instead of name and namelen pairs.

Here is a simplified example of the code

int read_alloc_one_name(struct inode *dir, int len, struct fscrypt_str *dest)
{
    // Initial code ...
    
    dest->name = kmalloc(len, GFP_KERNEL);
    if (!dest->name) {
        return -ENOMEM;
    }

    // More code ...
}

Upon encountering the error, the fix was proposed and merged into the kernel. The fix ensures that if the allocation for the 'name' field fails, read_alloc_one_name() will initialize the 'name' field to NULL. Consequently, this will lead to a correct compiler warning if uninitialized pointer free attempts are made.

The following code snippet displays the implemented fix

int read_alloc_one_name(struct inode *dir, int len, struct fscrypt_str *dest)
{
    // Initial code ...

    dest->name = kmalloc(len, GFP_KERNEL);
    if (!dest->name) {
        dest->name = NULL;
        return -ENOMEM;
    }

    // More code ...
}

With the merged patch, the Linux kernel no longer faces issues with the uninitialized pointer in the btrfs filesystem.

For more details on the patch and its implementation, see the following sources

1. Linux git commit - details of the merged patch.

2. Btrfs Bug Report – detailed report and discussion on the bug.

3. Kernel Mailing List discussion providing a mailing list thread about the initial patch and issue.

Moving Forward

CVE-2024-50087 serves as a reminder to always perform thorough checks and tests on code to ensure that all potential vulnerabilities are addressed. In this case, the quick response from the Linux kernel community and the developers ensured a prompt fix. Users are encouraged to update their systems to the latest kernel versions to eliminate the risks associated with this vulnerability.

Timeline

Published on: 10/29/2024 01:15:05 UTC
Last modified on: 10/30/2024 14:40:16 UTC