CVE-2024-26597 - Linux kernel net: qualcomm rmnet_policy global out-of-bounds read fix

A recent Linux kernel vulnerability CVE-2024-26597 has been resolved. This vulnerability was caused by a global out-of-bounds read when parsing the netlink attributes in the rmnet_policy module of the net_CVE-2024-26597.qualcomm driver. The resolution involves correcting the maxtype value assigned by the rmnet_link_ops variable.

Vulnerability Details

The vulnerability exists in the Linux kernel's rmnet_policy module, specifically in the net: qualcomm: rmnet driver. The issue occurs when the rmnet_link_ops variable assigns a larger maxtype than necessary, leading to a global out-of-bounds read when parsing the netlink attributes. This vulnerability could potentially be exploited by a malicious user to cause a denial of service or possibly gain unauthorized access to sensitive data in the system.

Fix Details

To fix this issue, it is necessary to correct the maxtype value for rmnet_link_ops. According to the comment in the nla_parse_nested_deprecated function, the maxtype should be set to "len(destination array) - 1". In this case, the appropriate value to use is IFLA_RMNET_MAX. This fix ensures that the proper bounds are obeyed when parsing the netlink attributes and prevents the out-of-bounds read vulnerability.

For more information on the Linux kernel's rmnet_policy module, please visit the following resources

- Linux kernel source code
- Netlink documentation (Linux kernel)
- nlattr documentation (Linux kernel)

Conclusion

The recent Linux kernel vulnerability CVE-2024-26597, found in the net: qualcomm: rmnet driver, has been resolved by correcting the maxtype value assigned by rmnet_link_ops. This fix prevents the possibility of a global out-of-bounds read when parsing the netlink attributes and addresses any potential denial of service or unauthorized access issues that could result from the vulnerability.

Timeline

Published on: 02/23/2024 15:15:09 UTC
Last modified on: 04/17/2024 19:46:28 UTC