CVE-2024-40947 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
ima: Avoid blocking in RCU read-side critical section
A panic happens in ima_match_policy:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca
Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems.
Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen.
The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic.
To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC.
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/03/2025
The vulnerability described in CVE-2024-40947 resides within the Linux kernel's Integrity Measurement Architecture (IMA) subsystem, specifically in the ima_match_policy function. This flaw manifests as a potential kernel panic resulting from a NULL pointer dereference, which occurs when the kernel attempts to access memory at address 0x0000000000000010. The panic arises from improper handling of memory allocation within an RCU (Read-Copy-Update) read-side critical section, a scenario that violates fundamental kernel design principles and can lead to severe system instability.
The technical root cause stems from a change introduced in commit c7423dbdbc9e, which modified the ima_filter_rule_match function to handle -ESTALE return values. This modification inadvertently introduced a call to ima_lsm_copy_rule within an RCU read-side critical section. The problematic aspect occurs when kmalloc with GFP_KERNEL flag is invoked inside this critical section, as this allocation can potentially sleep during memory management operations. According to the Linux kernel documentation and security best practices, RCU read-side critical sections must not contain operations that can sleep, particularly those involving memory allocation that might block. This constraint is especially critical on non-PREEMPT systems where such sleeping operations can cause synchronize_rcu() to return prematurely, thereby compromising the integrity of RCU protection mechanisms.
The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to use-after-free (UAF) conditions that may be exploited by malicious actors. The race condition described in the vulnerability analysis demonstrates how Thread B executing ima_match_policy within an RCU read-side critical section can access freed memory after Thread A performs synchronize_rcu and kfree operations. This scenario creates a window where memory that was previously freed becomes accessible again, potentially allowing attackers to manipulate kernel data structures or execute arbitrary code. The vulnerability aligns with CWE-416 (Use After Free) and represents a critical security flaw that could be leveraged for privilege escalation or system compromise, particularly in containerized environments where IMA is actively used for security policy enforcement.
The mitigation strategy involves converting all kmalloc operations that occur within RCU read-side critical sections to utilize GFP_ATOMIC flag instead of GFP_KERNEL. This change ensures that memory allocations within these critical sections cannot sleep, thereby maintaining the integrity of RCU protection mechanisms. The fix specifically addresses the issue by preventing the problematic kmalloc(GFP_KERNEL) call from occurring within the RCU read-side critical section, as recommended by the Linux kernel security guidelines and the ATT&CK framework's approach to kernel-level privilege escalation techniques. This modification aligns with the broader security principle of avoiding blocking operations in contexts where system responsiveness and memory consistency are paramount, particularly within the IMA subsystem where kernel integrity is continuously monitored and enforced.