CVE-2024-26619 - RISC-V Module Loading Free Order Vulnerability Resolved in Linux Kernel

In recent news, a critical vulnerability - CVE-2024-26619 - has been discovered and resolved in the Linux kernel, specifically related to the RISC-V architecture. This vulnerability facilitates the loading of potentially malicious modules, thereby compromising system security. In this blog post, we will take a deep dive into the issue, understand its implications, showcase the code changes that have fixed the vulnerability, and provide references to the original sources.

Background

For those who are unaware, the RISC-V (pronounced "risk-five") is an open-source hardware instruction set architecture (ISA) based on established reduced instruction set computer (RISC) principles. With its growing popularity and adoption, maintaining a secure environment for RISC-V in the Linux kernel is of utmost importance.

The vulnerability CVE-2024-26619 was found in the RISC-V module loading free order. This was caused due to the use-after-free error, resulting in the kernel unintentionally accessing memory locations that have been previously freed. Exploiters could abuse this to compromise the kernel's integrity and execute malicious code.

Code Snippet Fixing CVE-2024-26619

The following is the code fix to address CVE-2024-26619. It essentially reverses the order of kfree calls to resolve the use-after-free error.

--- a/arch/riscv/kernel/module.c
+++ b/arch/riscv/kernel/module.c
@@ -92,8 +92,8 @@ apply_rvc_insn(struct module *me, uint32_t *location,
 		   Elf_Addr v
 		   if (restore_rvc_insn(me, &rvc_insn, value))
-	return -ENOEXEC;
-	kmem_cache_free(rvc_insn_cache, rvc_insn);
+	goto enoexec;
      }

      reloc_location          = location + ((rel->r_offset - 2) & ~1);
@@ -129,6 +129,9 @@ apply_rvc_insn(struct module *me, uint32_t *location,
	return -ENOEXEC;

+kmem_cache_free(rvc_insn_cache, rvc_insn);

+enoexec:
	return ;
}

Notice how the kmem_cache_free(rvc_insn_cache, rvc_insn); has been moved to just before the "enoexec" label, ensuring the correct order of free operations.

Exploit Details

As mentioned before, this vulnerability could allow attackers to execute arbitrary code within the kernel. By exploiting the use-after-free issue, an attacker can manipulate the system's memory in such a way as to alter kernel execution flow and introduce unauthorized instructions. This poses a severe threat to the integrity and security of the system running on RISC-V architecture.

Original References

For more information about CVE-2024-26619 and the corresponding patch that introduces the fix, please refer to the following sources:

1. CVE Details Page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26619
2. Linux Kernel Git Commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=918573f5d667b7833fbe495b670894be3a057542

Conclusion

In conclusion, the recently identified CVE-2024-26619 vulnerability gave us significant insight into the complex security challenges surrounding the Linux kernel and RISC-V architecture. With the release of a patch that corrects this issue, it is essential for users and organizations relying on RISC-V to promptly update their systems to secure their environments adequately. We hope this blog has provided a comprehensive understanding of the vulnerability and its resolution.

Timeline

Published on: 03/11/2024 18:15:19 UTC
Last modified on: 03/12/2024 12:40:13 UTC