CVE-2024-26861 - Data-race vulnerability in Linux kernel WireGuard resolved

In the Linux kernel, a vulnerability has been identified and resolved related to the popular WireGuard VPN protocol. The vulnerability, dubbed CVE-2024-26861, affects how the protocol handles the receiving_counter.counter variable within the kernel, and could lead to potential data-race issues when accessing keypair->receiving_counter.counter. In this article, we'll dive into the details of the vulnerability, the fix, and its implications.

The vulnerability

The WireGuard VPN protocol has gained widespread popularity in recent years due to its performance, security, and ease of use. One of the key strengths of the protocol is its implementation within the Linux kernel, which allows for efficient and secure handling of encrypted packets at very high speeds.

A data-race vulnerability in the WireGuard implementation in the Linux kernel related to the receiving_counter.counter variable was identified by Syzkaller with KCSAN. If exploited, this data-race issue could potentially lead to unpredictable behavior, crashes, or security issues.

Here's an overview of the issue

BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll
[...]

The vulnerability occurs during the handling of encrypted packets within the WireGuard receiver component. The receiving_counter.counter variable is accessed by multiple parts of the codebase, potentially leading to race conditions.

The fix

In response to the issue, the Linux kernel developers have introduced READ_ONCE() and WRITE_ONCE() annotations to mark the data race as intentional. These annotations indicate that the accesses to the receiving_counter.counter variable are expected, and any synchronization issues should be ignored.

Here's the relevant code snippet that includes the annotations

// drivers/net/wireguard/receive.c
// ...
counter_validate(read_once(&keypair->receiving_counter.counter),
side_mask(keypair->remote->last_sent_handshake),
true);
write_once(&keypair->receiving_counter.counter,
monotime_absolute() + NSEC_PER_SEC);
// ...

By using these annotations, the Linux kernel developers ensure that the receiving_counter.counter variable can be safely accessed by multiple parts of the WireGuard implementation without creating any data-race issues.

Original references

For additional information on this vulnerability and the corresponding fix, you can refer to the following resources:

- Linux kernel commit: wireguard: receive: annotate data-race around receiving_counter.counter
- Syzkaller tool: https://github.com/google/syzkaller
- KCSAN (Kernel Concurrency Sanitizer): https://github.com/google/ktsan
- WireGuard project: https://www.wireguard.com/

Exploit details

As of now, there are no known exploits for this vulnerability. The data-race issue has been addressed in the latest Linux kernel releases, and we recommend updating your systems to a patched kernel version. This will protect your systems from potential issues that could stem from the data-race vulnerability in the WireGuard VPN implementation.

Conclusion

CVE-2024-26861 represents a data-race vulnerability in the WireGuard VPN implementation within the Linux kernel. By resolving this issue with proper READ_ONCE() and WRITE_ONCE() annotations, the kernel developers have ensured that WireGuard can continue to provide safe, secure, and efficient encrypted communication for Linux users.

Timeline

Published on: 04/17/2024 11:15:08 UTC
Last modified on: 06/25/2024 22:15:24 UTC