A recently discovered vulnerability in the Linux kernel (referred to as CVE-2024-26862) has been resolved with the help of syzbot, a kernel testing tool. This vulnerability was related to the "packet" submodule, specifically around the handling of the "ignore_outgoing" variable. In this post, we will discuss the vulnerability in detail, provide code snippets, and provide links to relevant patch details.

The Vulnerability

The data race vulnerability in the Linux kernel resided in the packet handling code, specifically relating to the "ignore_outgoing" variable. This variable was read locklessly from two functions, dev_queue_xmit_nit() and packet_getsockopt(). Without proper synchronization, this lack of locking could lead to data races, causing undefined behavior and possible security issues.

A data race in simple terms is a behavior where two threads concurrently access shared data in an uncontrolled manner, which could lead to unexpected results. In this case, the data race occurred due to the unprotected access to the "ignore_outgoing" variable by the two functions mentioned earlier.

The report by syzbot can be found here:
https://syzkaller.appspot.com/bug?id=8aec34307cc16ee32f5774989bf5fdb526a831dd

The Solution

The solution to this vulnerability is adding appropriate READ_ONCE() and WRITE_ONCE() annotations around the "ignore_outgoing" variable.

These annotations ensure that data is accessed in a controlled manner, ensuring that the lockless reads and writes do not give rise to data races. The annotations work by making sure the compiler generates correct code for the accesses even in the presence of aggressive optimizations.

Here is the patch that resolves the vulnerability

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5766689a3d7c6cfbb4989afdc3be6bcf499182

The code snippet of the solution is as follows

In packet_setsockopt():

//Before
po->ignore_outgoing = ;

//After
WRITE_ONCE(po->ignore_outgoing, );

In packet_getsockopt() and dev_queue_xmit_nit():

//Before
int ignore_outgoing = po->ignore_outgoing;

//After
int ignore_outgoing = READ_ONCE(po->ignore_outgoing);

Conclusion

The data race vulnerability in Linux kernel packet handling (CVE-2024-26862) has been resolved using READ_ONCE() and WRITE_ONCE() annotations around the "ignore_outgoing" variable. This helps avoid potential security issues and undefined behavior due to concurrent reads and writes.

For more information on this vulnerability and the patch, please refer to the following resources

1. Syzkaller report: https://syzkaller.appspot.com/bug?id=8aec34307cc16ee32f5774989bf5fdb526a831dd
2. Kernel patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5766689a3d7c6cfbb4989afdc3be6bcf499182
3. Linux kernel documentation on READ_ONCE() and WRITE_ONCE(): https://www.kernel.org/doc/Documentation/RCU/rcu_dereference.txt

Stay tuned for more updates on Linux kernel security vulnerabilities and their resolutions. Remember to keep your systems up-to-date and patched to ensure ongoing security.

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 06/25/2024 22:15:24 UTC