The Linux kernel developers have successfully fixed a vulnerability (CVE-2024-27047) within the phy_get_internal_delay function, which caused the function to access an empty array. This vulnerability led to a "kernel NULL pointer dereference" error.

Background

In the Linux kernel, there is a function called phy_get_internal_delay, which helps in determining the internal delay of a network PHY interface. However, this function faced a significant bug where it could access an empty array in certain situations. This bug was caused when the driver called phy_get_internal_delay without defining delay_values and either rx-internal-delay-ps or tx-internal-delay-ps being set to in the device-tree. Consequently, this led to the kernel being unable to handle a NULL pointer dereference, causing a system crash.

Resolution

The solution to this vulnerability was to change the test condition to delay >= , as there was already a delay < test just before it. The test could only be size == , which prevents the kernel from accessing the empty array.

Here's a snippet of the corrected code

if (IS_ERR(delay_values))
    return PTR_ERR(delay_values);

if (size == ) {
    phydev_err(phydev, "Phy internal delays empty\n");
    return -EINVAL;
}

This code simply checks if the size of the array is equal to zero, preventing the function from accessing an empty array and avoiding the kernel NULL pointer dereference.

Additional references and resources

- Original commit that resolved the vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=fa1225e8c649b37c1ee58a7f839c860adb73ab1
- Linux kernel source code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/

Exploit Details

As the vulnerability could lead to a kernel crash or "oops," this issue held the potential to be exploited by malicious users. An attacker could potentially craft a malicious device-tree setting and combine it with a specific driver configuration allowing them to induce a kernel crash remotely. This, in turn, could result in a Denial of Service (DoS) attack on the targeted system.

However, now that the vulnerability has been patched, the Linux kernel is protected from potential exploitation in this aspect. Users are strongly advised to update their Linux kernel to the latest version to incorporate the fix and ensure their systems are safeguarded.

Timeline

Published on: 05/01/2024 13:15:49 UTC
Last modified on: 06/25/2024 22:15:29 UTC