CVE-2024-56749 - DLM Recover Members Refcount Fix and Exploit Details in Linux Kernel

A recently resolved vulnerability in the Linux kernel, specifically in the Distributed Lock Manager (DLM), carries a Common Vulnerabilities and Exposures (CVE) ID of CVE-2024-56749. This vulnerability pertained to the dlm_recover_members function, where a failure in this function could lead to references not being dropped, resulting in potential issues. In this post, we'll explain the vulnerability, delve into the code fix, and provide details around exploiting and mitigating this vulnerability. Additional original references can be found at the end of the post.

Vulnerability Explanation

The dlm_recover_members() function is responsible for managing the DLM recovery process. This involves recovering and acknowledging locks from previous members of the DLM cluster. However, if this function fails, the references of the previously created root_list are not dropped, which holds and keeps all rsbs (Recoverable Sequence Batch) alive during the recovery process.

It is worth noting that this is not a highly unlikely event. The ping_members() function could run into an -EINTR (Interrupted System Call) if another recovery process was triggered again while it is still processing. When this error occurs, the previously mentioned root_list's references are not dropped, resulting in the issue.

Code Fix

The following code snippet illustrates the fix for this vulnerability. The key change is adding a call to dlm_clear_members() when the dlm_recover_members() function fails:

int dlm_recover_members(struct dlm_ls *ls)
{
  ...
  error = ping_members(ls);
  if (error == -EINTR) {
    log_debug(ls->debugfs_dlm, "dlm_recover_members aborted: %d", error);
+   dlm_clear_members(ls);
    goto out;
  }
  ...
out:
  return error;
}

By adding the 'dlm_clear_members(ls);' line, the references will now be dropped from the root_list when the dlm_recover_members() function fails due to the -EINTR error.

Exploit Details

Exploiting this vulnerability would heavily depend on the specific use case and environment set up for the DLM cluster. Essentially, an attacker would need to cause a disruption to the normal operations of the cluster, resulting in continuous and simultaneous recoveries being triggered. This would then increase the chances of the dlm_recover_members() function failing due to the -EINTR error and keeping the root_list references alive.

Mitigation

Applying the code fix mentioned above and maintaining an up-to-date Linux kernel are the primary steps to mitigating this vulnerability. Additionally, monitoring the DLM cluster and ensuring multiple recovery processes are not being triggered simultaneously can also help in preventing the exploitation of this vulnerability.

Original References

For more information on this vulnerability, its fix, and the discussion around it, please refer to the following resources:

1. Linux Kernel Patch - dlm: fix dlm_recover_members refcount on error
2. Kernel.org Git Repository - dlm: fix dlm_recover_members refcount on error

Conclusion

CVE-2024-56749 highlighted an important vulnerability in the Linux kernel's DLM, where the dlm_recover_members() function failure could result in reference leaks. By applying the proper code fix and maintaining an up-to-date and well-managed DLM cluster, the risk of exploitation and negative impacts stemming from this vulnerability can be significantly minimized.

Timeline

Published on: 12/29/2024 12:15:08 UTC
Last modified on: 01/06/2025 17:06:18 UTC