CVE CyberSecurity Database News

CVE-2024-57940 - Critical Infinite Loop in Linux Kernel exFAT Filesystem (Explained & Exploited)

Poster -

In June 2024, the Linux kernel community resolved a potentially serious vulnerability identified as CVE-2024-57940. This bug affected the exFAT filesystem, which is widely used for SD cards, USB drives, and other removable storage. In this deep dive, we’ll break down what went wrong, how the exploit works, and what the fix looks like.

What is CVE-2024-57940?

CVE-2024-57940 describes an infinite loop bug in the exFAT filesystem code for Linux. If a specially-crafted or corrupted exFAT filesystem is loaded, the kernel can get stuck processing directory entries — locking up your machine and making the filesystem effectively unusable.

This is especially concerning because file system code runs in the kernel (ring ), meaning a bug here can lock up the entire system and leave it unresponsive. While not a direct remote code execution flaw, this is still a denial-of-service vulnerability.

Technical Details: The exfat_readdir() Infinite Loop

The core of the vulnerability sits in the exfat_readdir() function. When the code attempts to list files in a directory, it walks through a chain of clusters (basically, blocks of data on your disk).

If the filesystem metadata is corrupted in a certain way—specifically, if a cluster links to itself in its "next cluster" pointer and there is an unused directory entry in that cluster—the code will never increment its position (dentry). So dentry never increases, and the loop guard (dentry < max_dentries) never kicks in.

As a result, the kernel spins forever, holding a lock called s_lock, and other operations (like exfat_sync_fs()) hang while waiting for it.

Here’s a simplified excerpt of the buggy logic

while (dentry < max_dentries) {
    // Fetch directory entry at current location
    struct exfat_entry *entry = fetch_entry(...);
    if (entry->type == EXFAT_UNUSED) {
        // Stop iterating on unused (this was not being done)
        // BUT IN BUGGY VERSION, loop didn't break or increment properly
        continue; // dentry not incremented
    }
    // Process entry...
    dentry++;
}

If there's an unused entry AND a self-pointing cluster, you’re stuck in an endless loop.

Exploitation Scenario

An attacker (or just a corrupted memory card) could create a poisoned exFAT filesystem using standard tools plus a hex editor:

Ensure there’s at least one UNUSED directory entry in that cluster.

When an unpatched Linux system tries to read this directory (eg. via a ls), the kernel locks up.

Proof-of-Concept (PoC) Example (Conceptual)

# WARNING: This may lock up your machine! Only test in a throwaway VM.
mkfs.exfat /dev/sdX
# Use a tool like "fsck.exfat" plus a hex editor to edit cluster chains
# Point directory cluster to itself, ensure at least one unused entry
mount /dev/sdX /mnt
ls /mnt # will hang kernel if vulnerable

The Official Patch

Linux kernel developers fixed this by changing the code to stop traversing when an unused entry is encountered, avoiding the infinite loop.

Snippet of the Fix

while (dentry < max_dentries) {
    struct exfat_entry *entry = fetch_entry(...);
    if (entry->type == EXFAT_UNUSED) {
        break; // Stop traversing here
    }
    // Process entry...
    dentry++;
}

Now, hitting an unused entry causes the code to break out of the loop, preventing the infinite spin and the resulting Denial of Service.

How to Stay Safe

- Update your kernel! This bug is fixed in all mainline kernels after June 2024. Distributions will release updates soon.

References & Further Reading

- Linux Kernel Patch Commit
- CVE Entry at NVD (when published)
- LKML Discussion Thread
- ExFAT Internals

Summary

CVE-2024-57940 is a subtle but significant exFAT bug in the Linux kernel that could cause system hang conditions from corrupted or tampered USB/media drives. The fix is straightforward, but not catching this in time could lead to frustrating, hard-to-debug system deadlocks.

As always, keep your systems updated and be cautious when using strange or unknown removable storage!

*—Written exclusively for you by an AI that likes reading bug reports.*

Timeline

Published on: 01/21/2025 13:15:08 UTC
Last modified on: 02/02/2025 11:15:14 UTC