In early 2024, Linux kernel developers patched a security issue that could let attackers extract uninitialized data from memory thanks to a bug in the FAT file system code. This bug, tracked as CVE-2024-26973, affects how the kernel encodes file handles for userspace, and could potentially leak sensitive kernel stack data.

In this post, I’ll walk you through what went wrong, show you where it lived in the code, reference the actual patch and commit, and explain what this means for you as a Linux user or admin.

What’s the bug all about?

The Linux kernel supports exporting file systems, like FAT, to userspace through mechanisms such as NFS. When it does this, it creates what’s called a “file handle” to uniquely identify files and directories.

In the FAT filesystem, there’s some special logic for “nostale” file handles—these are handles that don’t have a parent directory encoded for various reasons.

Here’s the tricky detail: the function fat_encode_fh_nostale() is supposed to fill in a fixed-length file handle when given a file-with-no-parent scenario. However, while the file handle *must* be a multiple of 4 bytes (for alignment and protocol reasons), the function only intentionally fills the first 10 bytes. The last 2 bytes are just left as whatever random stack junk was already sitting there — a classic case of *uninitialized memory leakage*.

This isn’t great, because now userspace could read those 2 extra bytes and, in theory, get data that was meant to be private, like pointers, kernel data, etc.

Here’s a simplified version of the old buggy part of the code (from fs/fat/dir.c)

int fat_encode_fh_nostale(...)
{
    __u8 fh[12]; // file handle buffer: meant to be 12 bytes total

    // ... logic to fill the first 10 bytes of fh ...

    // old code: only writing first 10 bytes, not touching last 2!
    // send fh to userspace with 12 bytes, leaking stack content!
    ...
}

The code fixed by the kernel maintainers updates this part so all 12 bytes are initialized before the handle is given to userspace.

What could an attacker do?

While the actual impact is limited (since it’s just 2 bytes), this kind of bug is *never* just theoretical in security:

1. Information disclosure: Attackers love to gather kernel stack data, because even a few bytes might leak high-value secrets, like pointers or credentials. This is called an “infoleak” and is sometimes a springboard to bypass other security features (like KASLR).

Chaining exploits: Combine with other bugs for more powerful attacks.

To trigger this, a local userspace program would need to call kernel interfaces that ask for file handles from a FAT device configured a certain way. Some NFS sharing setups, container environments, forensic tools, or backup utilities could be vulnerable if they use custom file handle requests.

How was it fixed?

The patch simply zeroes out the full file handle buffer before using it, making sure no stack junk remains. Here's the fixed code snippet:

int fat_encode_fh_nostale(...)
{
    __u8 fh[12] = {}; // Initialize all 12 bytes to zero

    // Then fill in the required 10 bytes as before...

    // The whole 12-byte buffer is now clean and safe
}

By setting the buffer to zero, the possible leakage is closed.

Original kernel patch:

fat: fix uninitialized field in nostale filehandles (kernel.org)

CVE Entry:

NVD - CVE-2024-26973

PoC: How to Test If Your System Was Vulnerable

A real-world exploit for this bug would be quite specialized, but here’s a proof-of-concept outline in pseudocode:

int main() {
    // Open a FAT filesystem (e.g., a vfat flash drive)
    // Use open_by_handle_at() or a similar syscall to request a file handle for a file with no parent
    // Inspect the returned handle: last 2 bytes may contain kernel stack data!
}

This requires root and custom kernel settings, but illustrates how even small “leaks” in kernel code can become a problem.

Even a 2-byte infoleak may be valuable to an attacker.

- Keep an eye on kernel CVEs and apply vendor updates (check your Linux distribution’s advisories for CVE-2024-26973).

If you run a Linux server, desktop, or embedded device using FAT filesystems (including legacy devices, SD cards, or NFS sharing), make sure your system is patched.

Timeline

Published on: 05/01/2024 06:15:13 UTC
Last modified on: 03/03/2025 17:47:59 UTC