On June 2024, a critical vulnerability tracked as CVE-2024-46686 was addressed in the Linux kernel, impacting systems using the SMB client with RDMA (Remote Direct Memory Access). The root of this issue was an unsafe dereference of a NULL pointer when handling certain SMB2 read operations. If left unresolved, this bug could cause kernel panics, denial of service, or potentially be exploited for further attacks.
In this article, we’ll break down what CVE-2024-46686 is, how it works, and what you can do to protect your systems.
What is CVE-2024-46686?
CVE-2024-46686 is a vulnerability in the Linux kernel’s smb/client subsystem. This bug is triggered when the function smb2_new_read_req() is called from SMB2_read() during specific RDMA operations, especially when you hit the rdma_readwrite_threshold.
The vulnerable code fails to check if rdata is NULL before trying to use it (dereferencing it), which can cause kernel crashes or undefined behavior.
Where Did This Happen In The Code?
Let's look at a simplified version of the vulnerable code.
Vulnerable Function: smb2_new_read_req()
struct smb2_read_rsp *rdata = NULL;
// ... some logic that may leave rdata as NULL
if (/* error condition hit with RDMA */) {
// Vulnerable: Dereferencing rdata while it's NULL
do_something_with(rdata->some_member);
}
When smb2_new_read_req() is called from SMB2_read() with RDMA enabled, and if certain thresholds or error states are hit (rdma_readwrite_threshold), the code could attempt to use rdata without ensuring it's been assigned a valid pointer.
Denial of Service (DoS): SMB client operations cause the host to become unresponsive.
- Potential Escalation: While no public exploits for privilege escalation exist (yet), kernel null-pointer dereference is a well-known bug class sometimes leveraged for deeper attacks, depending on system specifics.
How Could an Attacker Exploit This?
A malicious SMB server (or a man-in-the-middle attacker) could craft an SMB2 READ response that triggers the RDMA path with conditions causing rdata to be NULL. When the Linux client processes this, it dereferences NULL, leading to a kernel panic.
Client system crashes, causing downtime.
No privilege escalation or remote code execution has been demonstrated yet, but this kind of bug is always high priority for kernel teams, as exploitation techniques tend to evolve.
Patch & Resolution
The bug has been fixed by introducing a check to ensure rdata is not NULL before it is dereferenced.
Fixed Code Snippet
if (rdata != NULL) {
do_something_with(rdata->some_member);
} else {
// Handle error path safely
}
Reference Patch:
- Linus Torvalds’ Kernel Git, commit fixing CVE-2024-46686
- Seclists.org post about CVE-2024-46686
Update Your Kernel:
Upgrade to a Linux kernel version with the patch for CVE-2024-46686. Most major distros have released security updates.
Limit Exposure:
If you cannot patch immediately, avoid using SMB mounts with RDMA, or limit network exposure of SMB client systems.
Monitor & Alert:
Watch kernel logs (dmesg or /var/log/kern.log) for unexpected crashes or panics involving the SMB client.
Conclusion
CVE-2024-46686 highlights how one missed check in the Linux kernel’s SMB client RDMA handling could have serious stability and security consequences. This vulnerability has been addressed quickly by the kernel community, but it’s crucial for system administrators to apply patches and stay vigilant about kernel security developments.
CVE Record:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46686
Original Patch:
Security Mailing List Discussion:
Linux Kernel Documentation:
Timeline
Published on: 09/13/2024 06:15:13 UTC
Last modified on: 11/05/2024 09:44:39 UTC