CVE-2024-36963 in Linuxinfo

Summary

by MITRE • 06/03/2024

In the Linux kernel, the following vulnerability has been resolved:

tracefs: Reset permissions on remount if permissions are options

There's an inconsistency with the way permissions are handled in tracefs. Because the permissions are generated when accessed, they default to the root inode's permission if they were never set by the user. If the user sets the permissions, then a flag is set and the permissions are saved via the inode (for tracefs files) or an internal attribute field (for eventfs).

But if a remount happens that specify the permissions, all the files that were not changed by the user gets updated, but the ones that were are not. If the user were to remount the file system with a given permission, then all files and directories within that file system should be updated.

This can cause security issues if a file's permission was updated but the admin forgot about it. They could incorrectly think that remounting with permissions set would update all files, but miss some.

For example:

# cd /sys/kernel/tracing # chgrp 1002 current_tracer # ls -l [..]
-rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer -rw-r----- 1 root root 0 May 1 21:25 dynamic_events -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info -r--r----- 1 root root 0 May 1 21:25 enabled_functions

Where current_tracer now has group "lkp".

# mount -o remount,gid=1001 . # ls -l -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions

Everything changed but the "current_tracer".

Add a new link list that keeps track of all the tracefs_inodes which has the permission flags that tell if the file/dir should use the root inode's permission or not. Then on remount, clear all the flags so that the default behavior of using the root inode's permission is done for all files and directories.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/19/2025

The vulnerability described in CVE-2024-36963 resides within the Linux kernel's tracefs filesystem implementation, specifically addressing inconsistencies in permission handling during filesystem remount operations. This issue affects the tracing subsystem that provides runtime debugging capabilities through the /sys/kernel/tracing directory. The problem manifests when users modify permissions on individual tracefs files and subsequently perform a remount operation with new permission settings. The kernel's handling of these permission updates creates a scenario where some files receive the new permissions while others retain their previously modified settings, leading to potential security inconsistencies.

The technical flaw stems from how tracefs manages inode permissions and the lack of proper synchronization during remount operations. When tracefs files are first accessed, their permissions are generated based on the root inode's default settings if no explicit user modifications have been made. However, when users explicitly change permissions on specific files, the system sets internal flags to track these modifications. During a remount operation, the kernel correctly updates permissions for files that were never modified by the user, but fails to reset the permission flags for files that were previously changed. This creates a divergence where the remount operation only applies new permissions to files that were originally unmodified, leaving user-modified files with their original settings.

This inconsistency creates significant security implications for system administrators who rely on remount operations to uniformly apply permission policies across the entire tracefs filesystem. The vulnerability specifically relates to CWE-284, which addresses improper access control, and can be mapped to ATT&CK technique T1059.001 for privilege escalation through kernel-level access control bypass. When administrators remount tracefs with new group permissions, they expect all files to conform to the new settings, but the current implementation leaves previously modified files with their original group ownership, potentially creating unauthorized access paths. The example demonstrates how the current_tracer file maintains its group ownership as "lkp" even after a remount operation that specifies gid=1001, while all other files correctly adopt the new group "tracing".

The resolution for this vulnerability involves implementing a linked list structure that tracks all tracefs inodes and their permission flags, ensuring that during remount operations the system can properly reset these flags for all files. This approach addresses the root cause by guaranteeing that when remount occurs with permission specifications, all filesystem objects will be reset to use the root inode's default permissions rather than preserving any previous user-modified settings. This fix ensures consistent behavior and prevents the security gap that could allow unauthorized access to tracefs files through the inconsistent permission handling during remount operations, thereby maintaining the integrity of the kernel's security model and preventing potential privilege escalation scenarios.

Reservation

05/30/2024

Disclosure

06/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00190

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!