CVE-2024-36915 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
syzbot reported unsafe calls to copy_from_sockptr() [1]
Use copy_safe_from_sockptr() instead.
[1]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 Read of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078
CPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
copy_from_sockptr include/linux/sockptr.h:55 [inline]
nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f7fac07fd89 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89 RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/18/2025
The vulnerability CVE-2024-36915 affects the Linux kernel's NFC (Near Field Communication) LLCP (Logical Link Control Protocol) implementation, specifically within the nfc_llcp_setsockopt() function. This issue stems from unsafe memory copy operations that utilize the copy_from_sockptr() API without proper bounds checking, leading to potential out-of-bounds memory access conditions. The flaw was identified through automated fuzzing by syzbot, which reported KASAN (Kernel Address Sanitizer) warnings indicating slab-out-of-bounds errors during execution. These errors occur when the kernel attempts to read memory beyond allocated buffer boundaries, creating a potential avenue for privilege escalation or system instability.
The technical root cause lies in the improper handling of socket pointer operations within the NFC LLCP subsystem. When nfc_llcp_setsockopt() processes socket options, it directly calls copy_from_sockptr() without employing the safer copy_safe_from_sockptr() function. This pattern violates secure coding practices and exposes the kernel to memory corruption vulnerabilities. The stack trace shows the error propagating from copy_from_sockptr_offset through copy_from_sockptr to the vulnerable nfc_llcp_setsockopt function, where a read operation of size 4 occurs at address ff0088801caa1ec3. This memory access pattern represents a classic buffer overflow scenario that could be exploited to overwrite adjacent memory regions or trigger kernel crashes.
The operational impact of this vulnerability extends beyond simple denial of service, as it presents potential security risks within the NFC subsystem of Linux-based devices. Systems utilizing NFC functionality, particularly those running kernel versions containing this flaw, could be susceptible to memory corruption attacks that might allow malicious actors to escalate privileges or compromise system integrity. The vulnerability affects kernel versions where the NFC LLCP socket implementation lacks proper bounds checking for socket pointer operations, making it particularly concerning for embedded systems and mobile devices that rely heavily on NFC communication protocols. This issue aligns with CWE-121, which describes unsafe use of stack-based buffer operations, and represents a direct violation of secure coding principles for kernel space memory management.
Mitigation strategies for CVE-2024-36915 focus on updating to kernel versions that have addressed this specific vulnerability through the implementation of copy_safe_from_sockptr() instead of the unsafe copy_from_sockptr() calls. System administrators should prioritize applying security patches from their respective kernel maintainers or distribution vendors, as the fix directly addresses the problematic memory copy operations within the NFC LLCP subsystem. Additionally, monitoring systems should be configured to detect unusual network behavior or kernel memory access patterns that might indicate exploitation attempts. The recommended solution aligns with ATT&CK technique T1068, which addresses privilege escalation through kernel vulnerabilities, and emphasizes the importance of maintaining up-to-date kernel security patches as a fundamental defensive measure against such exploits.