CVE-2024-56570 - Linux Kernel Vulnerability Resolution: Filtering Invalid Inodes with Missing Lookup Function in Overlayfs

A new vulnerability has been identified in the Linux kernel, specifically in the overlayfs (overlay filesystem) component. This vulnerability, labeled CVE-2024-56570, has been addressed by the addition of a necessary check in the ovl_dentry_weird() function, which now filters out invalid inodes with missing lookup function. In this post, we will discuss the details of this vulnerability, its implications for Linux systems, how the fix has been implemented, and some code snippets demonstrating the changes.

Vulnerability Details

In the Linux kernel, overlayfs allows multiple filesystems to be mounted on top of one another in a unified, single view. This is useful in scenarios where you want to merge the contents of several directories or even entire filesystems, such as with containerization.

The vulnerability arose from the fact that overlayfs would process directory inodes without validating if they had the lookup function. The lookup function is crucial for correct filesystem behavior, as it is responsible for searching and locating inodes using their associated directory name. Without the lookup function, these inodes would be unable to be processed correctly when passed to the lower stack in overlayfs, leading to errors and potential security issues.

Exploit Details

While no known exploits are publicly available for this vulnerability, a successful exploit could lead to various security issues like kernel memory corruption, bypassing security restrictions, or even enabling an attacker to execute arbitrary code.

The Fix

With the reported vulnerability and its potential impact on Linux systems, a patch has been developed to fix this issue. In the patch, the ovl_dentry_weird() function has been updated with a new check that filters out invalid inodes with missing lookup function. The following code snippet demonstrates the changes made to the ovl_dentry_weird() function:

Before

static inline int ovl_dentry_weird(struct dentry *dentry)
{
    return dentry->d_flags & DCACHE_OP_WEIRD;
}

After

static inline int ovl_dentry_weird(struct dentry *dentry)
{
    if (!dentry->d_inode)
        return ;
    if (!dentry->d_inode->i_op->lookup)
        return 1;
    return dentry->d_flags & DCACHE_OP_WEIRD;
}

As seen in the updated code, the function now checks if the dentry's inode has a lookup function associated with it before processing the inode. If no lookup function is found, the function returns '1' to indicate that the inode should be filtered.

Conclusion

The Linux kernel vulnerability, CVE-2024-56570, had the potential to cause severe security issues. However, this issue has been addressed in a timely manner, with a patch being made to filter invalid inodes with missing lookup function. In ensuring continued security and stability of the Linux operating system, it is critical to keep your systems up-to-date with the latest patches and updates.

Original references

- https://lore.kernel.org/lkml/20220317051741.24303-1-sergejivanov1422@gmail.com/
- https://github.com/torvalds/linux/commit/49418ecb68161f243c227d9bbe9a4734fc0881dd

Timeline

Published on: 12/27/2024 15:15:15 UTC
Last modified on: 01/20/2025 06:23:17 UTC