PT-2024-3463 · Linux+5 · Linux Kernel+5
Oscar Salvador
·
Published
2024-02-07
·
Updated
2025-01-07
·
CVE-2024-26688
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.8.0-rc2-default+
Description
The vulnerability is related to a NULL pointer dereference in the hugetlbfs fill super() function when configuring a hugetlb filesystem via the fsconfig() syscall. This occurs when the requested pagesize is non-valid, causing the ctx->hstate to be replaced with NULL. Later, when dereferencing ctx->hstate in hugetlbfs fill super(), it results in a NULL pointer dereference, leading to a kernel crash.
The issue arises from the following steps:
- Opening a hugetlbfs filesystem using fsopen().
- Setting the pagesize using fsconfig() with an invalid value.
- Creating the filesystem using fsconfig() with FSCONFIG CMD CREATE.
Technical details about exploitation include:
- API Endpoints: The vulnerability is exploited through the
fsconfig()syscall, specifically when setting thepagesizeparameter. - Vulnerable Parameters or Variables: The
ctx->hstatevariable is vulnerable as it is replaced with NULL when an invalid pagesize is requested. - Function Names: The
hugetlbfs fill super()andhugetlbfs parse param()functions are involved in the vulnerability.
Recommendations
To resolve the issue, update the Linux kernel to a version that includes the fix for the NULL pointer dereference in hugetlbfs fill super(). As a temporary workaround, consider restricting the use of the hugetlbfs filesystem or validating the pagesize parameter before setting it via fsconfig().
Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu