CVE-2023-52464 - EDAC/thunderx: Fix for Out-of-bounds String Access in Linux Kernel

In the Linux kernel, a vulnerability was identified and fixed in the Error Detection and Correction (EDAC) subsystem related to the ThunderX OcteonTx SoC Communication (OCX) driver. The vulnerability, identified as CVE-2023-52464, is due to a potential out-of-bounds string access when using the strncat() function. This blog post provides details on the bug, the specific codebase reference, and the exploit details.

Code Snippet

The following code snippet shows the error in the usage of strncat() function present in the EDAC/thunderx subsystem:

  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   ...
   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
   ...
   115 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);

This error arises because the author of the driver mistakenly assumed that the strncat() function behaved the same way as the strlcat() function, which takes the size of the destination buffer as its third argument instead of the length of the source buffer.

Original References

You can find more details about this vulnerability, along with the discussion and the fix, in the following links:

1. Patchwork - Fix EDAC/thunderx Out-of-bounds String Access
2. Linux GitHub Repository - Commit for Fixing EDAC/thunderx String Access Vulnerability

Exploit Details

The issue lies in the usage of the strncat() function, which does not check the size of the allocated buffer. This can lead to a potential out-of-bounds memory access, potentially causing memory corruption or leakage of sensitive information.

To resolve this issue, the fix is to replace the strncat() usage with the strlcat() function, as shown in the following code snippet:

  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
  drivers/edac/thunderx_edac.c:1136:17: error: 'strlcat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
   1136 |                 strlcat(msg, other, OCX_MESSAGE_SIZE);
        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   ...
   1145 |                                 strlcat(msg, other, OCX_MESSAGE_SIZE);
   ...
   115 |                                 strlcat(msg, other, OCX_MESSAGE_SIZE);

With this change implemented, the EDAC/thunderx driver will now correctly ensure bounds checking while concatenating the strings, mitigating the vulnerability identified as CVE-2023-52464.

Conclusion

The vulnerability (CVE-2023-52464) found in the EDAC/thunderx subsystem of the Linux kernel highlights the importance of thorough code review and understanding the differences in standard library functions. The fix applied here replaces the problematic strncat() usage with the more robust strlcat() function, ensuring proper memory handling and prevention of out-of-bounds string access in the driver code.

Timeline

Published on: 02/23/2024 15:15:08 UTC
Last modified on: 04/17/2024 20:03:39 UTC