CVE-2024-35954
📋 TL;DR
A race condition in the Linux kernel's SCSI generic (sg) driver can cause a NULL pointer dereference when removing SCSI devices. This vulnerability allows local attackers to crash the kernel, causing denial of service. Systems using SCSI devices with the sg driver are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.
Likely Case
Local denial of service through kernel crash when specific SCSI device removal operations are performed.
If Mitigated
Minimal impact with proper access controls preventing local users from triggering the race condition.
🎯 Exploit Status
Requires local access and ability to trigger specific SCSI device removal operations. Race conditions can be challenging to reliably exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits: 27f58c04a8f438078583041468ec60597841284d, 46af9047523e2517712ae8e71d984286c626e022, b0d1ebcc1a9560e494ea9b3ee808540db26c5086
Vendor Advisory: https://git.kernel.org/stable/c/27f58c04a8f438078583041468ec60597841284d
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution for security updates. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable sg driver module
linuxPrevent loading of the vulnerable sg driver if not needed
echo 'blacklist sg' >> /etc/modprobe.d/blacklist.conf
rmmod sg
Restrict device access
linuxLimit access to SCSI devices to prevent triggering the race condition
chmod 600 /dev/sg*
setfacl -m u:root:rw /dev/sg*
🧯 If You Can't Patch
- Restrict local user access to systems with SCSI devices
- Monitor for kernel panic logs and investigate any sg driver related crashes
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if sg driver is loaded: lsmod | grep sg && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or check with distribution security updates📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- NULL pointer dereference in kernel logs
- sg driver related crash dumps
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("NULL pointer" OR "kernel panic" OR "sg_remove_sfp")🔗 References
- https://git.kernel.org/stable/c/27f58c04a8f438078583041468ec60597841284d
- https://git.kernel.org/stable/c/46af9047523e2517712ae8e71d984286c626e022
- https://git.kernel.org/stable/c/b0d1ebcc1a9560e494ea9b3ee808540db26c5086
- https://git.kernel.org/stable/c/27f58c04a8f438078583041468ec60597841284d
- https://git.kernel.org/stable/c/46af9047523e2517712ae8e71d984286c626e022
- https://git.kernel.org/stable/c/b0d1ebcc1a9560e494ea9b3ee808540db26c5086
