CVE-2024-26603 - Linux Kernel Vulnerability: x86/fpu Stop Relying on Userspace for Info to Fault in xsave Buffer

A recent vulnerability has been resolved within the Linux kernel, specifically relating to the x86/fpu module. The kernel is an essential part of the operating system, responsible for managing resources, processes, and enforcing security. The vulnerability, assigned CVE-2024-26603, involves the management of user-space buffers which has the potential to result in an endless loop.

Vulnerability Description

This vulnerability was triggered by an issue in how the Linux kernel's x86/fpu subsystem managed user-space buffers. Prior to the resolution, the kernel would rely on information provided by user-space processes to determine the xsave buffer size. However, since user-space is under the control of potentially malicious users, this opened up the possibility of a denial-of-service (DoS) attack.

An attacker could exploit this vulnerability by crafting a sigreturn frame, where the following conditions are met:

fx_sw->xstate_size is smaller than the size required by valid bits in fx_sw->xfeatures.

2. User-space unmaps parts of the sigrame fpu buffer, so not all of the buffer required by xrstor is accessible.

When these conditions are met, the xrstor function would attempt to restore and access the unmapped area, resulting in a fault. However, the fault_in_readable function would succeed because buf + fx_sw->xstate_size is within the still mapped area. This would cause the function to retry xrstor again, entering an endless loop.

Resolution

The resolution to this vulnerability is to have the kernel fault in the maximum size which can be touched by XRSTOR. The maximum size is derived from fpstate->user_size. By doing so, it ensures that the kernel does not rely on potentially untrustworthy user-space information for managing the xsave buffer.

The original commit message and the patch for this vulnerability can be found at

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a6faba00bd98917e43d9f33794dd369a5cf1099c

2. The full details and discussion of the vulnerability can be read on the oss-security mailing list: https://www.openwall.com/lists/oss-security/2024/03/20/1

Conclusion

The Linux kernel is the heart of many operating systems, and ensuring its security is of the utmost importance. By addressing this vulnerability (CVE-2024-26603) related to the x86/fpu subsystem, future attacks that exploit this weakness can be prevented. Users are encouraged to keep their systems updated with the latest patches to mitigate the risk of being targeted by threat actors.

Timeline

Published on: 02/26/2024 16:28:00 UTC
Last modified on: 04/17/2024 18:00:07 UTC