In the world of computer security, vulnerabilities are a frequent problem, and the open-source Linux kernel is no exception. These bugs can allow attackers to exploit systems and cause varying degrees of damage. The Linux kernel team and security researchers are constantly working to identify, report, and fix any vulnerabilities that arise. One such recent vulnerability, identified as CVE-2024-53131, involves a null-ptr-deref in the block_touch_buffer tracepoint within the nilfs2 file system of the Linux kernel.

A series of patches was developed to address this vulnerability, focusing on fixing the null pointer dereference bugs in the nilfs2 and block-related tracepoints. This post delves into the details of the vulnerability, the patches implemented, and provides links to the original references.

The Vulnerability

The issue with CVE-2024-53131 revolves around the touch_buffer() function call in the __nilfs_get_folio_block() function when the "block:block_touch_buffer" tracepoint is used. The problem occurs as the tracepoint added in touch_buffer() tries to reference the dev_t member bh->b_bdev->bd_dev independent of whether the buffer head has a pointer to a block_device structure.

When this happens, a null pointer dereference is triggered, causing a general protection fault when the Kernel Address Sanitizer (KASAN) is enabled. In the existing implementation, the block_device structure is only set after the function returns to the caller.

The touch_buffer() function's purpose is to mark the folio/page owning the buffer head as accessed. However, in a past optimization, the common search helper for folio/page used by the caller function was changed to mark the folio/page as accessed. This made the touch_buffer() call here unnecessary.

The Patch

The patches developed to fix this vulnerability solve the problem by removing the touch_buffer() call entirely. They ensure that the null pointer dereference issue does not occur.

Here's a snippet of the patch showing the changes made

  static int __nilfs_get_folio_block(struct inode *inode,
          unsigned long blkoff, bool create,
          struct page out_page, struct buffer_head out_bh)
  {
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -460,8 +460,6 @@ static int __nilfs_get_folio_block(stru

          if (bpos ==  && !buffer_new(bh))
                  goto got_it;
-       } else
-               touch_buffer(bh);
        }
        /* to see if the buffer is not instantiated or empty buffer
         * must be instantated */

References

- The original report of the bug: Linux Kernel Mailing List
- The patches that fix the vulnerability: Patch 1/2 - Fix touch_buffer dependencies, Patch 2/2 - Remove touch_buffer

Conclusion

CVE-2024-53131 is a perfect example of how continuous efforts in identifying and fixing vulnerabilities in open-source projects like the Linux kernel are crucial for maintaining secure systems. By addressing this null pointer dereference in the nilfs2 and block tracepoints, the developers have prevented potential exploits that could have resulted from this issue.

Timeline

Published on: 12/04/2024 15:15:13 UTC
Last modified on: 12/14/2024 21:15:37 UTC