CVE-2024-50132: Fixing MAX_TRACE_ARGS Limit Handling in Linux Kernel's Tracing/Probes

A new vulnerability has been identified and resolved in the Linux kernel under the tracing/probes component. This article will provide an overview of the vulnerability (CVE-2024-50132), related code snippets, original references, as well as details about the exploit and the solution.

Vulnerability Details

The issue arises when creating a trace_probe, as it would set nr_args prior to truncating the arguments to MAX_TRACE_ARGS. However, only arguments up to the limit were initialized. This led to invalid memory access when attempting to set up probes with more than 128 fetchargs, causing a kernel NULL pointer dereference error.

The following code snippet demonstrates the problem

BUG: kernel NULL pointer dereference, address: 000000000000002
#PF: supervisor read access in kernel mode
#PF: error_code(x000) - not-present page
PGD  P4D 
Oops: Oops: 000 [#1] PREEMPT SMP PTI
CPU:  UID:  PID: 1769 Comm: cat Not tainted 6.11.-rc7+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
RIP: 001:__set_print_fmt+x134/x330

Solution

To resolve this issue, apply the MAX_TRACE_ARGS limit earlier and return an error when there are too many arguments, instead of silently truncating them.

Links to Original References

1. Linux Kernel Mailing List (LKML) post discussing the fix
2. Linux Kernel commit that resolves the vulnerability

Exploit Details

An attacker could exploit this vulnerability by attempting to create trace_probe events with more than the allowed number of fetchargs (128). This could cause undefined behavior due to invalid memory access and potentially lead to a crash or other unintended consequences within the kernel.

The fix for this vulnerability ensures that the limit of MAX_TRACE_ARGS is applied earlier during trace_probe creation, preventing the invalid memory access issue. Additionally, the fix changes the previous behavior of silently truncating excessive arguments to returning an error, providing clearer feedback to users.

Conclusion

The vulnerability in the Linux kernel's tracing/probes component (CVE-2024-50132) has been resolved, preventing the triggering of the kernel NULL pointer dereference error. Applying the fix ensures that the MAX_TRACE_ARGS limit is adhered to and provides an error message when too many arguments are included, ultimately increasing the stability and security of the kernel.

Timeline

Published on: 11/05/2024 18:15:15 UTC
Last modified on: 11/07/2024 21:32:37 UTC