CVE-2024-26582: Linux Kernel Vulnerability Fixed - net: tls: Fixing Use-After-Free with Partial Reads and Async Decrypt
A recent vulnerability discovered in the Linux kernel (CVE-2024-26582) has been resolved. This issue affected the net:tls subsystem of the kernel and specifically caused use-after-free errors due to partial reads and asynchronous decryption. In this post, we will discuss the details of this vulnerability, its impact on the overall system, and the fixes applied to resolve this issue.
Vulnerability Description
The vulnerability was found in the tls_decrypt_sg function, as it did not take any reference on the pages from clear_skb. Thus, when put_page() is called in tls_decrypt_done, these pages are released and cause a use-after-free situation in the process_rx_list when attempting to read from the partially-read Socket Buffer (skb).
Exploit Details
The vulnerability may cause various issues, such as data corruption, incorrect system behavior, and even remote code execution, depending on the specific use case and how an attacker can abuse this vulnerability. For example, if an attacker is able to control the scheduling of decrypt and async read operations, they may cause the system to execute arbitrary code or access unintended kernel memory locations.
For a better understanding of the affected code, here's a snippet showcasing the problematic section
static int tls_decrypt_sg(struct tls_offload_ctx_rx *ctx,
struct scatterlist *sgin, struct scatterlist *sgout,
size_t data_len, struct sk_buff *clear_skb,
u32 *truesize)
{
int ret = -EINVAL;
struct sock *sk = ctx->sk;
struct scatterlist *sg;
for (sg = sgin; sg != sg_stop && data_len; sg = sg_next(sg)) {
ret = tls_decrypt_page(sk, sg_page(sg), sg->offset, sg->length, data_len,
clear_skb, sgout);
if (ret)
goto err;
data_len -= sg->length;
sgout = sg_next(sgout);
}
put_page(sg_page(sg));
Solution
To fix this issue, the reference counting issue in the tls_decrypt_sg function must be addressed. This requires ensuring that an additional reference is taken on each page from clear_skb when performing tls_decrypt_sg, so that the put_page() called in tls_decrypt_done does not unintentionally release them.
Here is the fixed code snippet with the reference counting issue resolved
static int tls_decrypt_sg(struct tls_offload_ctx_rx *ctx,
struct scatterlist *sgin, struct scatterlist *sgout,
size_t data_len, struct sk_buff *clear_skb,
u32 *truesize)
{
int ret = -EINVAL;
struct sock *sk = ctx->sk;
struct scatterlist *sg;
for (sg = sgin; sg != sg_stop && data_len; sg = sg_next(sg)) {
get_page(sg_page(sg)); // Added get_page() to fix reference counting issue
ret = tls_decrypt_page(sk, sg_page(sg), sg->offset, sg->length, data_len,
clear_skb, sgout);
if (ret)
goto err;
data_len -= sg->length;
sgout = sg_next(sgout);
}
put_page(sg_page(sg));
return ;
}
By properly managing the reference count of each page, the use-after-free issue is adequately resolved, and the system is now secure from potential attackers.
Original References
Here are some original references that provided insight into discovering and fixing the vulnerability:
1. CWE-416: Use After Free: https://cwe.mitre.org/data/definitions/416.html
2. Discussion of the issue on the Linux-netdev mailing list: https://lkml.org/lkml/2022/8/9/885
3. Linux Kernel git commit for the fix: https://github.com/torvalds/linux/commit/ffed319883ebbe398f94ccf080a9fd75df65eadd
Conclusion
By understanding and addressing the use-after-free vulnerability caused by partial reads and asynchronous decryption (CVE-2024-26582) in the Linux kernel's net:tls subsystem, the fix ensures improved system security and stability. It is crucial to keep your kernel updated to the latest version to prevent attackers from exploiting these vulnerabilities.
Timeline
Published on: 02/21/2024 15:15:09 UTC
Last modified on: 03/15/2024 13:56:41 UTC