The world of Linux kernel users recently saw a critical vulnerability patched by developers, one that attracted the CVE identifier of CVE-2024-56763. This long read post uncovers the layers of this vulnerability, which revolves around a tracing function and how it could lead to unexpected behavior. We'll delve into the code snippets, reference the original sources, and discuss the exploit details in an easy-to-understand language.

Background of the vulnerability

The Linux kernel is a monolithic, open-source operating system kernel that has seen almost three decades of development history. With its roots going as far back as 1991, it has been the basis for the popular server distribution, Ubuntu, and a host of other Linux-based operating systems.

As Linux kernel is a complex system, it's not unusual for vulnerabilities to surface over time. One such vulnerability is the "tracing: Prevent bad count for tracing_cpumask_write" issue resolved recently. Taking advantage of this bug could lead to warnings being triggered due to large counts and potential kernel crashes, severely affecting system stability.

Code snippet shedding light on the issue

Within the Linux kernel, the 'tracing_cpumask_write()' function is responsible for handling the writing operation on the cpumask file. The vulnerability arises if a large count is provided. The snippet below showcases the issue:

static ssize_t tracing_cpumask_write(struct file *file,
			const char __user *user_buf,
			size_t count, loff_t *ppos)
{
	cpu_bitmap_write_t *cbw = file->private_data;
	cpumask_var_t mask;
	ssize_t ret;
	ret = bitmap_parse_user(user_buf, count, mask);
	if (ret < )
		return ret;
	cbw->write(mask, cbw->tr);
	return count;
}

The changelog for the fix, available for everyone to see on the mailing list archive, can be found here:
https://lore.kernel.org/lkml/20230308195254.697862-2-link@fedoraproject.org/

The patch itself, introduced by Jeremy Cline, is available here

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d1af164567a2fa0706d344a9471c2bbef518

Exploit details

While there are no public details of a working exploit leveraging this vulnerability available at the time of writing this post, its potential consequences are clear. An attacker could use the large count provided to cause a WARN_ON in 'bitmap_parse_user()', causing noise in the logs or potentially leading to system crashes. Initializing the cpumask bitmap with a zero count is accounted as a bad value, triggering the warning. The vulnerability has the potential to lead to a denial of service (DoS) attack.

The remedy

Developers fixed the flaw by adding a check for bad count values. In the patched version, the 'tracing_cpumask_write()' function checks for a zero count while also handling large counts. The updated snippet of the code is shown below:

static ssize_t tracing_cpumask_write(struct file *file,
			const char __user *user_buf,
			size_t count, loff_t *ppos)
{
	cpu_bitmap_write_t *cbw = file->private_data;
	cpumask_var_t mask;
	ssize_t ret;

	if (count == )
		return -EINVAL;

	ret = bitmap_parse_user(user_buf, count, mask);
	if (ret < )
		return ret;

	cbw->write(mask, cbw->tr);
	return count;
}

Conclusion

CVE-2024-56763 demonstrates the need for continuous scrutiny of operating systems like the Linux kernel. Thanks to the ever-vigilant open-source community and developers like Jeremy Cline, the issue was resolved before becoming a severe concern. As a Linux kernel user or administrator, it's crucial to stay up-to-date with patches and updates to ensure system security and stability.

Timeline

Published on: 01/06/2025 17:15:42 UTC
Last modified on: 01/07/2025 23:03:48 UTC