CVE-2024-23695 - How a Simple Integer Overflow in cache_km.c Can Let Attackers Escalate Privileges

In early 2024, security researchers discovered a new vulnerability tracked as CVE-2024-23695. This bug lives inside the Linux kernel's memory management system, specifically in the file cache_km.c, in a function called CacheOpPMRExec. The vulnerability exposes systems to a dangerous local privilege escalation, making it possible for an ordinary user to execute kernel-level code, potentially taking full control of the system.

In this post, I’ll walk you through the bug in simple terms, show you the key code, and explain how an exploit could work. This guide is original and exclusive—summed up with easy-to-digest language and no unnecessary complexity.

What Is CVE-2024-23695?

CVE-2024-23695 is an out-of-bounds write caused by an integer overflow. Programs sometimes let numbers grow too big, failing to check if adding two big numbers “wraps around” and ends up much smaller than intended, causing data to overwrite memory it shouldn’t touch.

Affected System: Linux kernel

- Component: Memory/caching subsystem (cache_km.c)

The Core of the Bug: CacheOpPMRExec

The vulnerable code is found in the Linux kernel source file cache_km.c, in the function CacheOpPMRExec. This function manages a custom cache memory region (PMR). It takes a user-provided size and offset, calculates an *index*, and then performs operations based on this index.

If the math here goes wrong, the index could point somewhere outside the intended array in memory, allowing for out-of-bounds access.

Let’s look at a simplified code snippet describing the weakness

// cache_km.c

int CacheOpPMRExec(struct pmr *pmr, size_t offset, size_t size)
{
    size_t idx = offset + size;  // potential integer overflow here!
    if (idx < pmr->max_size) {
        pmr->data[idx] = SOMETHING;  // Out-of-bounds write possible
        return ;
    }
    return -EINVAL;
}

- If offset + size overflows and wraps around (for example, exceeding the max value for size_t), idx becomes very small, and the boundary check (idx < pmr->max_size) will wrongly pass.

Real-World Code Reference

This simple example captures how a real-life bug might look. The actual code may have more checks, but the essence remains: *User-controlled input leads to unchecked addition, resulting in a dangerous overflow.*

Code diff in a patch (hypothetical)

-   size_t idx = offset + size;
-   if (idx < pmr->max_size) {
+   if (offset > pmr->max_size || size > pmr->max_size - offset) {
+       return -EINVAL; // avoid overflow
+   }
+   size_t idx = offset + size;
+   if (idx < pmr->max_size) {

How Could an Attacker Exploit CVE-2024-23695?

A local user can craft input values (for offset and size) that would make their sum wrap around due to the integer overflow. When this data is passed to the kernel, it ends up writing kernel data outside the intended array, possibly overwriting critical kernel structures or pointers.

Escape sandboxes

- Corrupt kernel data structures, leading to code execution, denial of service, or persistent backdoors

Example Exploit Outline

While it’s not responsible to post a working exploit for an LPE bug, here’s a high-level pseudocode outline:

// userland, simplified example
#include <stdio.h>
#include <limits.h>

int main() {
    size_t offset = SIZE_MAX - 100; // near the max
    size_t size = 200; // will wrap around
    // syscall or ioctl interacting with vulnerable kernel driver
    int fd = open("/dev/vuln_cache", O_RDWR);
    write(fd, &offset, sizeof(offset));
    write(fd, &size, sizeof(size));
    // now data[idx] in kernel will write out-of-bounds!
    // exploit could overwrite task struct or function pointer
}

A real exploit would carefully target sensitive kernel memory, sometimes using a “heap spray” technique or “ROP chain” (return-oriented programming) for reliability.

Patch Reference

You can find the official patch (once available) at the kernel’s official Git repository or from your Linux distribution’s security channel.

Original References and More Reading

- CVE Record Detail - CVE-2024-23695 (NVD)
- Linux Kernel Source - cache_km.c (example reference)
- Integer Overflow and Out-of-Bounds Writes (OWASP)
- Kernel Bug Handling Guide (LWN.net)

In Summary

CVE-2024-23695 is a great example of how a simple, ancient bug class—integer overflows—remains dangerous even today. On Linux, these issues can let ordinary users “escape” to kernel territory and take control, putting the whole system at risk.

If you’re a system admin or Linux user, update your kernel as soon as a patch is available. If you’re a developer, always validate arithmetic, especially when users provide the numbers.

This vulnerability needs no user interaction, and exploits can be silent and deadly. Don’t leave your systems exposed.

Stay safe and keep your software up to date！

*Got questions or want fresh security breakdowns like this? Leave a comment or subscribe!*

Timeline

Published on: 07/09/2024 21:15:11 UTC
Last modified on: 07/12/2024 16:11:25 UTC