In the Linux kernel, a race condition vulnerability has been discovered and resolved in the tmpfs filesystem. This vulnerability is related to the flawed handling of disk quota (dquot) red-black (rb) trees. The vulnerability has been assigned the identifier CVE-2024-27058. This post will provide a technical explanation of the vulnerability, together with exploit details, code snippets, and links to original references.
Vulnerability and Exploit Details
The syzkaller reproducer, a powerful tool for identifying kernel vulnerabilities, has found a race while attempting to remove dquot information from the red-black (rb) tree. The issue stems from the fact that fetching the rb_tree root node must also be protected by the dqopt->dqio_sem semaphore, which prevents simultaneous modification of the tree. Without this protection, shmem_release_dquot() might trigger a warning because it couldn't find a node in the tree when the real reason was the root node changing before the search starts.
The race condition can be better understood by examining the flow of two threads executing their operations concurrently:
Thread 1 Thread 2
- shmem_release_dquot() - shmem_{acquire,release}_dquot()
- fetch ROOT - Fetch ROOT
- acquire dqio_sem
- wait dqio_sem
- do something, trigger a tree rebalance
- release dqio_sem
- acquire dqio_sem
- start searching for the node, but
from the wrong location, missing
the node, and triggering a warning.
Here, Thread 1 is executing shmem_release_dquot() while Thread 2 is executing shmem_{acquire,release}_dquot(). The race begins when both threads try to fetch the root node of the rb_tree at the same time. To prevent this, adequate synchronization must be implemented.
Resolution
To fix this issue, developers have introduced the appropriate protection mechanism with the dqio_sem semaphore in the Linux kernel. This update ensures that the rb_tree root fetch operation is suitably guarded, preventing simultaneous modification of the red-black tree by multiple threads.
References
1. Linux Kernel Commit - tmpfs: fix race on handling dquot rbtree
2. Syzkaller Project
Conclusion
The CVE-2024-27058 vulnerability pertaining to the tmpfs race condition in the Linux kernel has been successfully resolved with the introduction of semaphore protection. Users are encouraged to apply the necessary kernel updates to secure their systems against this vulnerability.
Timeline
Published on: 05/01/2024 13:15:50 UTC
Last modified on: 11/01/2024 17:35:04 UTC