CVE-2024-47742

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware_loader: Block path traversal<br /> <br /> Most firmware names are hardcoded strings, or are constructed from fairly<br /> constrained format strings where the dynamic parts are just some hex<br /> numbers or such.<br /> <br /> However, there are a couple codepaths in the kernel where firmware file<br /> names contain string components that are passed through from a device or<br /> semi-privileged userspace; the ones I could find (not counting interfaces<br /> that require root privileges) are:<br /> <br /> - lpfc_sli4_request_firmware_update() seems to construct the firmware<br /> filename from "ModelName", a string that was previously parsed out of<br /> some descriptor ("Vital Product Data") in lpfc_fill_vpd()<br /> - nfp_net_fw_find() seems to construct a firmware filename from a model<br /> name coming from nfp_hwinfo_lookup(pf-&gt;hwinfo, "nffw.partno"), which I<br /> think parses some descriptor that was read from the device.<br /> (But this case likely isn&amp;#39;t exploitable because the format string looks<br /> like "netronome/nic_%s", and there shouldn&amp;#39;t be any *folders* starting<br /> with "netronome/nic_". The previous case was different because there,<br /> the "%s" is *at the start* of the format string.)<br /> - module_flash_fw_schedule() is reachable from the<br /> ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as<br /> GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is<br /> enough to pass the privilege check), and takes a userspace-provided<br /> firmware name.<br /> (But I think to reach this case, you need to have CAP_NET_ADMIN over a<br /> network namespace that a special kind of ethernet device is mapped into,<br /> so I think this is not a viable attack path in practice.)<br /> <br /> Fix it by rejecting any firmware names containing ".." path components.<br /> <br /> For what it&amp;#39;s worth, I went looking and haven&amp;#39;t found any USB device<br /> drivers that use the firmware loader dangerously.