In late May 2024, the Linux kernel team resolved an edge-case vulnerability involving buffer overruns when parsing filenames inside the early userspace initramfs. Although this issue, tracked here as CVE-2024-53142, generally requires an attacker to already have system building privileges, understanding it highlights both the delicacy and complexity of low-level kernel code. This post explains the flaw, how it could potentially be used or observed, and the patch that closed the loophole.
What is initramfs and Why Does This Matter?
initramfs is the initial RAM filesystem the Linux kernel unpacks into memory during early boot. It contains scripts and binaries needed to get the system ready for real userspace. The initramfs files are in the old *cpio* archive format, with strict rules dictating field lengths, filename storage, and more. If something goes wrong in how the kernel reads these fields—especially filename sizes—unexpected behavior, even security issues, can follow.
The Vulnerability: Unchecked Filename Termination
Filenames in cpio archives (used by initramfs) are *supposed* to end with a \ (null) character. The kernel trusted that this would always be there.
But:
If a cpio entry has a filename field not zero-terminated and is followed by uninitialized memory (for example due to archive corruption or manipulation), the Linux kernel could read past the filename into whatever memory is next—in some cases, even creating files with unexpected garbage on their names!
The structure is like this (from kernel docs)
| Field Name | Size | Meaning |
|-------------|--------------|------------------------------|
| c_namesize | 8 bytes | Length of filename incl. \ |
If the filename isn't zero-terminated, code like this
/* Pseudo-logic */
char *collected = ...; // buffer from cpio stream
// code expects collected[namelen-1] == '\'
filp_open(collected, ...);
can make calls to open a file using a string that may continue through garbage data—if no zero is found! That can create files with "random" name suffixes.
Reproducing the Problem
You can see the effect with a simple bash script that writes a malformed cpio header. Here’s the proof-of-concept:
# reproducer.sh
nilchar="A" # Use "A" not "\" to avoid zero-termination!
magic="070701"
ino=1
mode=$(( 0100777 ))
uid=
gid=
nlink=1
mtime=1
filesize=
devmajor=
devminor=1
rdevmajor=
rdevminor=
csum=
fname="initramfs_test_fname_overrun"
namelen=$(( ${#fname} + 1 )) # Should be +1 for terminator
printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \
$magic $ino $mode $uid $gid $nlink $mtime $filesize \
$devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname
termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) ))
printf "%.s${nilchar}" $(seq 1 $termpadlen)
Run it and append the output to your existing initramfs
./reproducer.sh | gzip >> /myinitramfs
2. Boot with this as your initramfs. Observe any files like /initramfs_test_fname_overrunAA*.
The Fix
The kernel patch now aborts extraction if the filename is not zero-terminated at the expected spot. This prevents runaway reading or file creation past the intended filename.
In code, it's something like
if (filename[length - 1] != '\') {
// abort!
return -EINVAL;
}
References and More Reading
- Linux kernel patch discussion (LKML)
- Linux kernel Documentation: early-userspace/buffer-format.rst
- initramfs cpio archive format
- CVE-2024-53142 at cve.org (when available)
Conclusion
While CVE-2024-53142 is not a classical remote or privilege escalation exploit, it underscores the importance of defensive programming—always check your string boundaries and terminators! Even in code only accessible by "trusted" authors, edge cases can bite.
If you maintain custom kernel builds or initramfs images, make sure you upgrade to a kernel with this patch, or verify your initramfs creation scripts correctly zero-terminate filenames.
Exclusive content by Linux Explains, 2024.
*If reproducing, please cite the original links.*
Timeline
Published on: 12/06/2024 10:15:06 UTC
Last modified on: 12/19/2024 09:40:12 UTC