CVE-2024-27036: Linux Kernel cifs Writeback Data Corruption Vulnerability Fixed

In the Linux kernel, a critical vulnerability has been found in the cifs (Common Internet File System) writeback implementation, which could lead to writeback data corruption. This vulnerability is assigned the identifier CVE-2024-27036 and has been resolved in recent kernel patches.

Background

The cifs writeback functionality doesn't correctly handle situations where the cifs_extend_writeback() function reaches a point where it is considering additional folios, but doing so would surpass the wsize (write size). When this occurs, the implementation drops out of the xarray scanning loop and calls xas_pause(). The issue arises because xas_pause() advances the loop counter, effectively skipping the problematic page.

To resolve this vulnerability, developers need to call xas_reset() whenever they decide not to process the page they're looking at, and instead send the request they are building and start a new one. This fix ensures that no pages are skipped, thus preventing potential data corruption.

Solution

The solution to this problem involves copying and adapting the netfslib (Network File System Library) writepages code for the time being, with plans for cifs writeback to be offloaded to netfslib in the near future. This temporary measure also rectifies the issue with the use of filemap_get_folios_tag() causing a retry of a bunch of pages that the extender has already resolved.

Create a 64K file somewhere that isn't on cifs (to prevent copy-offload interference)

dd if=/dev/urandom of=/tmp/64K bs=64k count=1

Mount a cifs share with a wsize of 64000

mount //192.168.6.1/test /mnt -o user=...,pass=...,wsize=64000

Copy the 64K file to the mounted cifs share

cp /tmp/64K /mnt/64K

Compare the original file and the copied file

cmp /tmp/64K /mnt/64K

Before the fix was implemented, the cmp command would return a failure at position 64000 (or shortly thereafter). Now, with the fix in place, the comparison should not produce any errors, indicating that the writeback data corruption vulnerability has been resolved.

Original References

- Linux Kernel Mailing List post discussing the vulnerability and fix: [https://lore.kernel.org/linux-cifs/YTv+nDQqkLYOQhy6@lst.de/T/#m5d8cb3c044b09dd6957c05a2]
- Related Linux Kernel Git commit: [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9f2babf5a45d52c42fa1fcd6e934fa138c21a5f]

Exploit Details

This vulnerability, if exploited, could result in writeback data corruption, where the data that was written to the cifs share does not match the original source data. An attacker could potentially exploit this issue to cause data corruption, possibly disrupting the normal operation of affected systems or modifying their stored data. However, the fix implemented in the kernel patches ensures that this vulnerability can no longer be exploited for malicious purposes.

Conclusion

CVE-2024-27036 is a critical vulnerability in the Linux kernel's cifs writeback implementation that could lead to data corruption. This issue has been resolved through the adoption of netfslib writepages code and the use of xas_reset(). System administrators and users should make sure to update their Linux kernel to the latest version to protect themselves from this vulnerability.

Timeline

Published on: 05/01/2024 13:15:49 UTC
Last modified on: 05/04/2025 09:02:48 UTC