A recently discovered vulnerability, CVE-2024-0646, has been found in Linux kernel's Transport Layer Security (TLS) functionality. This flaw affects the way in which a user calls a function splice when a ktls socket serves as the destination. To exploit this vulnerability, a local user could potentially crash the system or escalate their privileges. In this article, we will take a closer look at the details of this vulnerability, provide code snippets to understand the exploit, and offer links to relevant references.

Description of the Vulnerability

Linux kernel's TLS implementation is vulnerable to an out-of-bounds memory write flaw. The vulnerability can be triggered when a user calls the splice() system call, with a kernel TLS (ktls) socket as the destination file descriptor. The kernel fails to validate the size of the amount being spliced, which can lead to an out-of-bounds memory write. Consequently, this could enable an attacker to crash the kernel, and possibility escalate their privileges on a vulnerable system.

Code Snippets

The following code snippets illustrate the vulnerability as it appears in the Linux kernel source code (demonstrated for educational purposes). Note that the vulnerable kernel versions can change, so ensure to check the references to confirm if your kernel version is affected.

1. Here is how an attacker might call the splice() system call, using a vulnerable ktls socket as the destination:

#include <fcntl.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
#include <netinet/in.h>

int main() {
  int fd_in, ktls_socket;
  struct sockaddr_in server_addr;
  const size_t data_to_splice = 8192; // The size of the amount being spliced

  // Create ktls socket
  ktls_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

  // Initialize server_addr with a valid server_addr
  // ...

  // Connect to ktls_socket
  connect(ktls_socket, (struct sockaddr *)&server_addr, sizeof(server_addr));

  // Create fd_in (source file descriptor)
  // ...

  // Call splice() system call with vulnerable ktls_socket as the destination
  splice(fd_in, NULL, ktls_socket, NULL, data_to_splice, );

  return ;
}

This is a simplified version of the vulnerable kernel code

ssize_t tls_device_splice_write(struct pipe_inode_info *pipe,
                                struct file *out, loff_t *ppos,
                                size_t len, unsigned int flags)
{
  // ...
  // The kernel fails to validate the size of the amount being spliced
  // and writes an out-of-bound amount of data
  // ...
}

Exploit Details

To exploit the vulnerability, an attacker must have local access to the vulnerable system. They must then utilize the splice() system call with a ktls socket as the destination in a way that exploits the out-of-bounds memory write. Successful exploitation of the vulnerability could allow the attacker to crash the kernel or escalate their privileges on the affected system.

Original References

1. CVE-2024-0646: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0646
2. Linux kernel issue tracker: https://github.com/torvalds/linux/commit/fa33128988314142b1ae52660d854131a36a2634

Mitigation and Fixes

We recommend following the latest security advisories and applying relevant kernel updates to fix this vulnerability. Always ensure that your systems are running the latest software versions and security patches. In addition, limiting local user access to sensitive systems and applications can reduce the potential impact of this vulnerability.

Timeline

Published on: 01/17/2024 16:15:47 UTC
Last modified on: 03/13/2024 15:15:50 UTC