CVE-2023-52448: Linux Kernel gfs2_rgrp_dump NULL Pointer Dereference Vulnerability Fixed

In this long read post, we will discuss the recent vulnerability discovered and resolved in the Linux kernel identified as CVE-2023-52448. The vulnerability involves a NULL pointer dereference in the gfs2_rgrp_dump function in the GFS2 file system, which could potentially result in kernel panic and denial of service. We will detail the technical aspects of the vulnerability, walk you through the code snippet involved, and provide references to the original reports.

Vulnerability Overview

A NULL pointer dereference vulnerability has been identified and fixed in the Linux kernel's Globally Shared File System 2 (GFS2). Discovered by Syzkaller, the bug could potentially result in a kernel panic and denial of service. The issue arises as a result of an error in the gfs2_rgrp_dump() function, which could be triggered if the creation of the rgd->rd_gl fails in the read_rindex_entry(). The fix, detailed later in this post, involves adding a NULL pointer check in the gfs2_rgrp_dump() function.

Affected Versions

Linux kernel versions prior to the patch commit that fixed the vulnerability.

Code Snippet

The original vulnerable code snippet in the gfs2_rgrp_dump() function can be found in the Linux kernel's fs/gfs2/rgrp.c file. Here's the part where the NULL pointer dereference can occur:

static void gfs2_rgrp_dump(struct seq_file *seq, const struct gfs2_rgrpd *rgd)
{
  ...
  rcu_read_lock();
  gl = rcu_dereference(rgd->rd_gl);
  ...
  rcu_read_unlock();
}

In the above snippet, the code attempts to dereference rgd->rd_gl without checking whether it is a NULL pointer or not. If the creation of rgd->rd_gl fails, a NULL pointer is dereferenced, which could possibly lead to the aforementioned issues.

Fix:

The fix for this vulnerability involves adding a NULL pointer check at the right place in the gfs2_rgrp_dump() function. The code snippet with the appropriate fix is as follows:

static void gfs2_rgrp_dump(struct seq_file *seq, const struct gfs2_rgrpd *rgd)
{
  ...
  rcu_read_lock();
  if (!rgd->rd_gl) {
    rcu_read_unlock();
    return;
  }
  gl = rcu_dereference(rgd->rd_gl);
  ...
  rcu_read_unlock();
}

As can be seen above, the fixed code now checks for a NULL pointer before dereferencing rgd->rd_gl, avoiding any potential issues.

References

1. Original report by Syzkaller: https://lkml.org/lkml/2023/4/13/capabilities
2. Kernel patch fixing the vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d37a974bddaf4956

Exploit Details

While there is currently no known exploit impacting real-world systems, a proof-of-concept could be developed to trigger a kernel panic and denial of service by calling the gfs2_rgrp_dump() function in a way that the rgd->rd_gl creation fails. System administrators should apply the kernel patch as soon as possible to reduce their potential exposure.

Conclusion

In this post, we have detailed the Linux kernel NULL pointer dereference vulnerability, CVE-2023-52448, which affected the gfs2_rgrp_dump() function, a part of the GFS2 file system. We demonstrated how the vulnerability arises, provided the code snippets involved, and explained the fix. We have also covered the potential exploit details and provided references for further reading. It is crucial to apply the given patch to reduce the risk of any potential exploitation in real-world systems.

Timeline

Published on: 02/22/2024 17:15:08 UTC
Last modified on: 03/18/2024 18:38:36 UTC