CVE-2024-27392 - Double-Free in Linux Kernel NVMe Host Driver Explained

A recently patched vulnerability in the Linux kernel, CVE-2024-27392, has drawn the attention of both security researchers and system administrators. This bug revolved around the NVMe host driver code and posed a risk of double-free bugs, which could destabilize systems or even potentially allow for exploits in certain scenarios.

In this post, we will break down what happened, show you the affected code, explain the bug in plain language, and link to the original references. This explanation is written with clarity and accessibility in mind so anyone interested in Linux kernel security can easily follow.

What Is CVE-2024-27392?

CVE-2024-27392 is a vulnerability in the Linux kernel's NVMe host driver. The issue lay in how the driver managed memory for a particular structure (struct nvme_id_ns) during namespace updates.

When a function called nvme_identify_ns() failed, it would free memory it used before exiting. However, its caller, ns_update_nuse(), would also try to free the same chunk of memory. This is a textbook double-free, which can confuse the kernel's memory handler and potentially lead to crashes, unexpected behavior, or exploit conditions.

If the operation fails, nvme_identify_ns() cleans up its memory (frees it).

3. The caller, ns_update_nuse(), didn't check if the memory was already freed and tried to free it again.

Here is a simplified and excerpted version of the old (vulnerable) code

int nvme_identify_ns(..., struct nvme_id_ns **id)
{
    *id = kzalloc(sizeof(struct nvme_id_ns), GFP_KERNEL);
    if (!*id)
        return -ENOMEM;
    // ... perform operation ...
    if (failed) {
        kfree(*id);
        return -EINVAL;
    }
    // ...
    return ;
}

void ns_update_nuse(...)
{
    struct nvme_id_ns *id = NULL;
    int ret = nvme_identify_ns(..., &id);
    if (ret) {
        // Here, id is already freed if nvme_identify_ns() failed!
        kfree(id); // <-- Second free! Causes double-free bug.
        return;
    }
    // ...
    kfree(id);
}

When nvme_identify_ns() fails, it frees id before returning, but ns_update_nuse() doesn't know and tries again.

The Fix

The maintainers fixed the bug by *only* freeing id in ns_update_nuse() if it hasn't already been freed (i.e., *only* when nvme_identify_ns() succeeds and left a valid, allocated pointer).

Patched code

void ns_update_nuse(...)
{
    struct nvme_id_ns *id = NULL;
    int ret = nvme_identify_ns(..., &id);
    if (ret) {
        // Do NOT free id, as it has already been freed (or never allocated)
        return;
    }
    // ...
    kfree(id);
}

What Risk Did This Create?

While the double-free is not directly a remote code execution risk by itself in this driver usage, it could:

Crash the kernel under certain circumstances (DoS)

- Be a stepping stone for local privilege escalation if combined with other bugs (very rare for this code path, but not impossible)
- Cause hard-to-diagnose and intermittent bugs, especially if you use or test NVMe devices with advanced kernel configs

KASAN (Kernel Address Sanitizer) identified this when running blktests with the nvme/045 test, which simulated error-prone NVMe hardware situations.

References

- Linux kernel commit (patch)
- Kernel mailing list discussion
- NVD listing for CVE-2024-27392
- blktests (test suite for kernel block layer)

Exploit Details (What Could an Attacker Do?)

This double-free is mainly exploitable by *local* users with the ability to trigger NVMe namespace updates — usually only privileged processes or through crafted user space programs on developer/test systems. An attacker could potentially:

Cause an intentional crash (local denial of service)

- Attempt a memory management exploit (very difficult in this context, but theoretically possible if they can guess next allocations)

However, due to the nature of this code and its allocations, it is not straightforward for a normal user or unprivileged process to use this for privilege escalation. The primary risk lies in kernel crashes or unexpected behavior during NVMe device operations.


## How Do I Fix/Check for This?

- Upgrade to at least Linux kernel v6.8-rc7 or a distribution kernel incorporating the patch above.
- Watch your system logs (dmesg, /var/log/messages) for any KASAN or slab corruption errors when using NVMe devices.

It was caught by automated tests and fixed upstream quickly.

- While risk is low for remote exploits, any bug in kernel memory management should be fixed as soon as practical.

If you manage systems with NVMe storage, patch now and avoid potential stability or security issues down the road.


*Stay secure and always keep your kernels updated!*

Timeline

Published on: 05/01/2024 13:15:51 UTC
Last modified on: 12/26/2024 20:32:43 UTC