CVE CyberSecurity Database News

CVE-2024-53130 - Fixing NULL pointer dereference issue in Linux Kernel related to "block_dirty_buffer" tracepoint

Poster -

A critical vulnerability (CVE-2024-53130) has been discovered and resolved in the Linux Kernel. This vulnerability is related to the "block_dirty_buffer" tracepoint in the nilfs2 filesystem causing NULL pointer dereference or general protection fault when Kernel Address SANitizer (KASAN) is enabled.

The Problem

In the Linux Kernel, the use of "block:block_dirty_buffer" tracepoint in the mark_buffer_dirty() function can lead to a NULL pointer dereference or a general protection fault when KASAN is enabled. This occurs because the tracepoint references the dev_t member bh->b_bdev->bd_dev without taking into consideration whether the buffer head has a valid pointer to a block_device structure.

The following code snippet from the mark_buffer_dirty() function showcases the issue

trace_block_dirty_buffer(bh);

The root cause of this issue lies in the nilfs_grab_buffer() function, which is responsible for grabbing a buffer to read (or create) a block of metadata, including b-tree node blocks. The function does not set the block device, and only does so if the buffer is not in the "uptodate" state for each of its caller block reading functions.

If the folio/page has the uptodate flag set, and the buffer heads are detached from it by the try_to_free_buffers() function, new buffer heads are then attached by create_empty_buffers() function. The uptodate flag may then be restored to each buffer without setting the block device to bh->b_bdev. This leads to mark_buffer_dirty() being called later in that state, resulting in the NULL pointer dereference issue.

Proposed Solution

To resolve this issue, we must update the nilfs_grab_buffer() function to always set the block device of the super block structure to the buffer head, regardless of the buffer's uptodate flag state.

Here is a code snippet showcasing the fix

void nilfs_grab_buffer(struct super_block *sb, struct buffer_head *bh)
{
    /* ... */

    /* Set the block device to the buffer head */
    bh->b_bdev = sb->s_bdev;

    /* ...*/
}

By applying this patch, we can eliminate the NULL pointer dereference issue related to the "block_dirty_buffer" tracepoint.

Original References:
1. The Linux kernel source code, which contains the affected code can be found at this official repository: https://github.com/torvalds/linux
2. For more information about the nilfs2 filesystem, refer to this link: https://www.nilfs.org
3. The full patch, which addresses this issue, can be found in this commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=xxxxxxx

Exploit Details

An attacker with the ability to control the state of buffer heads on a system using the nilfs2 filesystem could trigger this vulnerability to cause a NULL pointer dereference or a general protection fault, leading to a denial of service (DoS) or other potential security risks. This is particularly concerning when KASAN is enabled on the system.

Conclusion

The Linux Kernel vulnerability CVE-2024-53130 is a critical issue that affects systems using the nilfs2 filesystem. By applying the proposed patch, system administrators can protect their systems from potential exploits and security risks. It is essential to stay informed about such vulnerabilities and apply necessary patches promptly to ensure the security and stability of your systems.

Timeline

Published on: 12/04/2024 15:15:12 UTC
Last modified on: 12/11/2024 15:01:08 UTC