CVE-2024-26590 - Linux Kernel EROFS Vulnerability: Fixing Inconsistent Per-File Compression Format

A vulnerability has been discovered within the Linux kernel, specifically in the Extended Readonly File System (EROFS), which allows syzkaller, a kernel fuzzer, to create inconsistent crafted images with unsupported compression algorithms. This can lead to an unexpected kernel error like "BUG: kernel NULL pointer dereference" if the decompressor is not built-in. In this article, we will provide a detailed overview of this vulnerability (CVE-2024-26590), the code snippet to fix the issue, and important links to original references.

The Problem

EROFS is designed to support compression algorithms on a per-file basis, and each of these algorithms needs to be marked in the on-disk superblock for correct initialization. However, the existing system can lead to an inconsistency with specific inodes, such as using the MicroLZMA algorithm type even if it's not set in sbi->available_compr_algs. This issue triggers a "BUG: kernel NULL pointer dereference" error when the corresponding decompressor is not built-in.

The Solution

To fix this vulnerability, the code must be modified to correctly check against sbi->available_compr_algs for each m_algorithmformat request. This will ensure that the incorrect !erofs_sb_has_compr_cfgs preset bitmap is fixed.

Here is a code snippet that modifies the EROFS file system implementation to solve this issue

static inline struct z_erofs_decompressor *get_decompressor(enum z_erofs_algorithmformat alg)
{
    struct z_erofs_decompressor *const decompressor = sbi->decompressor + alg;

+   if (unlikely(!erofs_sb_has_compr_cfg(sbi, alg))) {
+       ERR_ONCE("inconsistent m_algorithmformat %u within sbi->available_compr_algs x%x\n",
+                alg, sbi->available_compr_algs);
+       return ERR_PTR(-EINVAL);
+   }
    return decompressor;
}

Adding the above code snippet will fix the vulnerability by correctly checking against the sbi->available_compr_algs variable for each m_algorithmformat request, ensuring that no unsupported compression algorithm is used by the EROFS file system.

For more details on this vulnerability and the official patch, you can explore the following links

1. Linux Kernel Mailing List (LKML) - Patch Announcement
2. EROFS Documentation
3. syzkaller - Linux kernel fuzzer

Exploit Details

This vulnerability affects the Linux kernel's Extended Readonly File System (EROFS) and can be exploited by an attacker using a crafted image created by syzkaller that uses an unsupported compression algorithm. Patching the kernel with the provided code snippet will prevent this exploit by ensuring that only supported compression algorithms are used by the EROFS file system.

Timeline

Published on: 02/22/2024 17:15:09 UTC
Last modified on: 03/18/2024 17:54:20 UTC