PT-2024-35666 · Linux+4 · Linux Kernel+4
Published
2024-10-25
·
Updated
2026-05-26
·
CVE-2024-53219
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.9.0-rc5+
Description
A vulnerability in the Linux kernel has been resolved, related to the virtiofs module. When trying to insert a 10MB kernel module kept in a virtio-fs with cache disabled, a warning is triggered due to an abnormal memory allocation size. The issue occurs because the maximal read size for kvec iter is only limited by fc->max read, which is set to UINT MAX for virtio-fs, causing fuse direct io() to not split the 10MB buffer. This leads to a kmalloc() call with a 10MB size parameter, triggering a warning in alloc pages(). The vulnerability can cause the finit module() function to hang forever.
Technical details about exploitation include:
- The
finit module()syscall handles the module insertion and invokeskernel read file()to read the content of the module first. - The
kernel read file()function allocates a 10MB buffer by usingvmalloc()and passes it tokernel read(). - The
fuse file read iter()function invokesfuse direct io()when virtio-fs disables the cache. - The
virtio fs enqueue req()function useskmalloc()to allocate a bounce buffer for all fuse args.
Recommendations
To resolve the issue, update the Linux kernel to a version that includes the fix for the virtiofs module, which introduces the use of pages instead of pointers for kernel direct IO. This change allows fuse to use pages to pass KVEC IO data, preventing the abnormal memory allocation size issue.
Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability, other than updating to a version after 6.9.0-rc5+.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Debian
Linuxmint
Linux Kernel
Ubuntu