CVE-2024-45000 in Linuxinfo

Summary

by MITRE • 09/04/2024

In the Linux kernel, the following vulnerability has been resolved:

fs/netfs/fscache_cookie: add missing "n_accesses" check

This fixes a NULL pointer dereference bug due to a data race which looks like this:

BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI
CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43 Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018 Workqueue: events_unbound netfs_rreq_write_to_cache_work RIP: 0010:cachefiles_prepare_write+0x30/0xa0 Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10 RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286 RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000 RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438 RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001 R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68 R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00 FS: 0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0 Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x15d/0x440 ? search_module_extables+0xe/0x40 ? fixup_exception+0x22/0x2f0 ? exc_page_fault+0x5f/0x100 ? asm_exc_page_fault+0x22/0x30 ? cachefiles_prepare_write+0x30/0xa0 netfs_rreq_write_to_cache_work+0x135/0x2e0 process_one_work+0x137/0x2c0 worker_thread+0x2e9/0x400 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 Modules linked in: CR2: 0000000000000008 ---[ end trace 0000000000000000 ]---

This happened because fscache_cookie_state_machine() was slow and was still running while another process invoked fscache_unuse_cookie(); this led to a fscache_cookie_lru_do_one() call, setting the FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by fscache_cookie_state_machine(), withdrawing the cookie via cachefiles_withdraw_cookie(), clearing cookie->cache_priv.

At the same time, yet another process invoked cachefiles_prepare_write(), which found a NULL pointer in this code line:

struct cachefiles_object *object = cachefiles_cres_object(cres);

The next line crashes, obviously:

struct cachefiles_cache *cache = object->volume->cache;

During cachefiles_prepare_write(), the "n_accesses" counter is non-zero (via fscache_begin_operation()). The cookie must not be withdrawn until it drops to zero.

The counter is checked by fscache_cookie_state_machine() before switching to FSCACHE_COOKIE_STATE_RELINQUISHING and FSCACHE_COOKIE_STATE_WITHDRAWING (in "case FSCACHE_COOKIE_STATE_FAILED"), but not for FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case FSCACHE_COOKIE_STATE_ACTIVE").

This patch adds the missing check. With a non-zero access counter, the function returns and the next fscache_end_cookie_access() call will queue another fscache_cookie_state_machine() call to handle the still-pending FSCACHE_COOKIE_DO_LRU_DISCARD.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/04/2024

The vulnerability described in CVE-2024-45000 resides within the Linux kernel's filesystem caching subsystem, specifically in the fscache cookie management mechanism. This issue manifests as a NULL pointer dereference that can lead to system instability and potential denial of service conditions. The flaw occurs within the cachefiles_prepare_write function where a race condition allows for improper cookie state transitions, resulting in a scenario where cache_priv is cleared while active operations are still referencing it. The vulnerability is particularly concerning because it can be triggered through concurrent access patterns involving cache operations, making it exploitable in multi-threaded environments where multiple processes interact with the same cache resources.

The technical root cause stems from a missing validation check in the fscache_cookie_state_machine() function during the handling of the FSCACHE_COOKIE_STATE_LRU_DISCARDING state. According to the Linux kernel's caching architecture and the associated CWE classification under CWE-476, this represents a NULL pointer dereference vulnerability that occurs due to improper synchronization between concurrent operations. The race condition develops when one process invokes fscache_unuse_cookie() while another process is still actively using the cache cookie, leading to inconsistent state management. The system fails to properly check the n_accesses counter during LRU discarding operations, which should prevent cookie withdrawal while active references exist. This failure directly violates the principle of proper resource management and concurrent access control that is fundamental to secure kernel operation.

The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise system stability and availability. When triggered, the NULL pointer dereference causes kernel oops messages and can result in system hangs or forced reboots, particularly affecting systems heavily reliant on caching mechanisms such as network file systems or distributed storage solutions. The vulnerability affects the cachefiles subsystem, which is integral to the Linux kernel's network file system capabilities and is used in various enterprise and high-performance computing environments. The specific crash occurs in the cachefiles_prepare_write function where the system attempts to access object->volume->cache after the cookie has been withdrawn but before the access counter has been properly decremented, creating a temporal window for the race condition to manifest.

Mitigation strategies for this vulnerability require both immediate kernel updates and careful system administration practices. The primary fix involves implementing the missing n_accesses check in the fscache_cookie_state_machine() function, ensuring that cookies marked for LRU discarding cannot be withdrawn while active operations are pending. This aligns with ATT&CK technique T1484.001 which involves privilege escalation through kernel-level attacks, and addresses the underlying concurrency control issues that enable such vulnerabilities. System administrators should prioritize applying the patched kernel version immediately, while also monitoring for potential denial of service conditions in systems with high cache activity. Additionally, implementing proper resource management practices and ensuring adequate system monitoring can help detect and respond to similar race condition scenarios that may exist in other parts of the kernel's caching subsystem.

Responsible

Linux

Reservation

08/21/2024

Disclosure

09/04/2024

Moderation

accepted

CPE

ready

EPSS

0.00224

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!