CVE-2024-36288 in Linux
Summary
by MITRE • 06/21/2024
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
The in_token->pages[] array is not NULL terminated. This results in
the following KASAN splat:
KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2024
The vulnerability identified as CVE-2024-36288 represents a critical memory access issue within the Linux kernel's sunrpc subsystem, specifically affecting the gss_free_in_token_pages() function. This flaw manifests as a buffer over-read condition that occurs when processing RPC authentication tokens, creating potential security risks for systems utilizing the kernel's remote procedure call functionality. The vulnerability stems from improper handling of an array structure that lacks proper null termination, leading to memory access violations that can be exploited to compromise system integrity.
The technical root cause lies in the gss_free_in_token_pages() function within the sunrpc module where the in_token->pages[] array is accessed without proper bounds checking. This array structure, which contains page references for authentication tokens, does not maintain a NULL termination marker that would normally indicate the end of valid data entries. When the function attempts to iterate through this array, it continues processing beyond the legitimate data boundaries, resulting in memory access violations that trigger KASAN (Kernel Address Sanitizer) warnings. The specific memory range mentioned in the KASAN splat indicates an access to memory locations that should not be reachable during normal operation, highlighting the dangerous nature of this out-of-bounds access.
The operational impact of this vulnerability extends beyond simple memory corruption, as it can potentially enable attackers to execute arbitrary code within kernel space or cause system crashes through controlled memory access violations. Systems running affected kernel versions that utilize RPC services, particularly those implementing GSS (Generic Security Services) authentication, face elevated risk of exploitation. The vulnerability aligns with CWE-129, which addresses improper validation of array indices, and represents a classic example of buffer over-read conditions that can be leveraged for privilege escalation or denial-of-service attacks. This flaw particularly affects network services that rely on the kernel's RPC framework for distributed computing operations.
Mitigation strategies for CVE-2024-36288 should prioritize immediate kernel updates from vendors such as Red Hat, Ubuntu, and other Linux distributions that have released patches addressing this specific memory handling issue. Organizations should also implement monitoring for KASAN warnings and system stability indicators that could signal exploitation attempts. The fix implemented in patched versions typically involves proper array boundary validation and ensuring that the in_token->pages[] array maintains correct termination markers before processing. Security teams should also consider implementing network segmentation and access controls for RPC services to limit potential attack surface while awaiting full patch deployment, as this vulnerability can be exploited through network-based attacks targeting the sunrpc subsystem.