_The Linux Kernel is the beating heart of millions of computers and devices, so even a small bug can cause big problems. Today, we explore CVE-2024-44992, a vulnerability found and fixed in the SMB (Server Message Block) client of the Linux kernel. We’ll walk through how the bug happened, what was done to patch it, and share everything in easy, simple words._
What is CVE-2024-44992?
CVE-2024-44992 is a NULL pointer dereference vulnerability in the Linux kernel's SMB client (cifs module), specifically in the cifs_free_subrequest() function. This bug could potentially lead to a kernel crash (panic), affecting system stability, or even making the machine unresponsive when certain SMB operations fail in a specific way.
Where Was the Problem?
The bug lives in the function cifs_free_subrequest(). The issue was spotted by automated tools like Clang's static code analyzer.
Root of the Problem:
When a subrequest object (rdata) has a non-zero credit value but its associated server pointer (rdata->server) is NULL, the kernel tries to use that NULL pointer (it calls a method behind it). Accessing a field of something that’s NULL leads to a crash.
Scan-Build Warning
cifsglob.h:line 890, column 3
Access to field 'ops' results in a dereference of a null pointer.
Technical Context
SMB clients use "credits" to manage simultaneous read/write requests with SMB servers. When a request completes, credits need to be returned to the server. This happens via:
add_credits_and_wake_if(rdata->server, &rdata->credits, 1);
But if rdata->server is NULL, this becomes
NULL->ops->add_credits(...)
—which is a guaranteed crash (kernel panic).
Here's a simplified snippet from the problem area (before the fix)
if (rdata->credits.value != )
add_credits_and_wake_if(rdata->server, &rdata->credits, 1);
How Was It Fixed?
The fix is straightforward and safe:
Patched Code
if (rdata->credits.value != && rdata->server)
add_credits_and_wake_if(rdata->server, &rdata->credits, 1);
Now, the function will ONLY try to add credits if there is a valid server object.
Commit Diff Example:
- if (rdata->credits.value != )
- add_credits_and_wake_if(rdata->server, &rdata->credits, 1);
+ if (rdata->credits.value != && rdata->server)
+ add_credits_and_wake_if(rdata->server, &rdata->credits, 1);
Detailed Exploitability
In practice, this bug may not be easy to trigger directly by an attacker without special access, but in the right environment (such as specially crafted SMB server responses or kernel fuzzing), it is possible. Systems using the vulnerable kernel and mounting SMB shares were at risk of kernel crashes, which could be used for denial-of-service (DoS).
Since kernel crashes are often considered high-severity (due to the potential for remote crash if controlled from network), this bug is tracked and fixed quickly.
Upstream Fix Commit:
cifs: avoid possible NULL dereference in cifs_free_subrequest()
CVE Record (will be updated as details finalize):
Kernel Mailing List discussion:
Here’s a minimal demonstration in C (not kernel code, but same principle)
struct server {
int credits;
};
void add_credit(struct server *srv) {
if (!srv) return; // Always check for NULL!
srv->credits++;
}
void do_something(struct server *srv, int value) {
if (value > )
add_credit(srv);
}
If you don't check for !srv in add_credit, and you call do_something(NULL, 5), the program will crash.
Who needs to patch?
If you’re running Linux kernel with SMB/CIFS support (common in enterprise, NAS, some desktop environments), update your kernel!
Stay safe, update your kernel, and always code defensively.
_Exclusive to this post: If you want to hunt for similar bugs, consider learning static analysis and kernel debugging!_
References Recap
- Linux Commit
- CVE NVD Link
- LKML Patch Discussion
Timeline
Published on: 09/04/2024 20:15:08 UTC
Last modified on: 09/06/2024 16:29:28 UTC