CVE-2024-53142

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> initramfs: avoid filename buffer overrun<br /> <br /> The initramfs filename field is defined in<br /> Documentation/driver-api/early-userspace/buffer-format.rst as:<br /> <br /> 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data<br /> ...<br /> 55 ============= ================== =========================<br /> 56 Field name Field size Meaning<br /> 57 ============= ================== =========================<br /> ...<br /> 70 c_namesize 8 bytes Length of filename, including final \0<br /> <br /> When extracting an initramfs cpio archive, the kernel&amp;#39;s do_name() path<br /> handler assumes a zero-terminated path at @collected, passing it<br /> directly to filp_open() / init_mkdir() / init_mknod().<br /> <br /> If a specially crafted cpio entry carries a non-zero-terminated filename<br /> and is followed by uninitialized memory, then a file may be created with<br /> trailing characters that represent the uninitialized memory. The ability<br /> to create an initramfs entry would imply already having full control of<br /> the system, so the buffer overrun shouldn&amp;#39;t be considered a security<br /> vulnerability.<br /> <br /> Append the output of the following bash script to an existing initramfs<br /> and observe any created /initramfs_test_fname_overrunAA* path. E.g.<br /> ./reproducer.sh | gzip &gt;&gt; /myinitramfs<br /> <br /> It&amp;#39;s easiest to observe non-zero uninitialized memory when the output is<br /> gzipped, as it&amp;#39;ll overflow the heap allocated @out_buf in __gunzip(),<br /> rather than the initrd_start+initrd_size block.<br /> <br /> ---- reproducer.sh ----<br /> nilchar="A" # change to "\0" to properly zero terminate / pad<br /> magic="070701"<br /> ino=1<br /> mode=$(( 0100777 ))<br /> uid=0<br /> gid=0<br /> nlink=1<br /> mtime=1<br /> filesize=0<br /> devmajor=0<br /> devminor=1<br /> rdevmajor=0<br /> rdevminor=0<br /> csum=0<br /> fname="initramfs_test_fname_overrun"<br /> namelen=$(( ${#fname} + 1 )) # plus one to account for terminator<br /> <br /> printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \<br /> $magic $ino $mode $uid $gid $nlink $mtime $filesize \<br /> $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname<br /> <br /> termpadlen=$(( 1 + ((4 - ((110 + $namelen) &amp; 3)) % 4) ))<br /> printf "%.s${nilchar}" $(seq 1 $termpadlen)<br /> ---- reproducer.sh ----<br /> <br /> Symlink filename fields handled in do_symlink() won&amp;#39;t overrun past the<br /> data segment, due to the explicit zero-termination of the symlink<br /> target.<br /> <br /> Fix filename buffer overrun by aborting the initramfs FSM if any cpio<br /> entry doesn&amp;#39;t carry a zero-terminator at the expected (name_len - 1)<br /> offset.