CVE-2024-26865: Linux Kernel Vulnerability Fixed in rds_tcp Module

A recently identified vulnerability in the Linux kernel (CVE-2024-26865) specifically affects the rds_tcp module and has since been resolved. This post will outline the details of the vulnerability, a code snippet, and links to original references for those who would like to investigate further.

netns is dismantled. [] (ref_tracker: net notrefcnt@0000000065449cc3)

5. reqsk timer is fired, and UAF (Use After Free) happens while freeing reqsk. [1] (BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop)

listener is freed after RCU (Read-Copy-Update) grace period. [2]

Essentially, the allocation of memory resources for a socket in the RDS_TCP_PORT can lead to a Use After Free (UAF) situation. This occurs when a program continues to use a memory resource after it has been freed.

To fix this issue, a similar approach as that in commit 740ea3c4ab2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") was applied. Let's examine the steps for resolving this issue in detail:

Here is a code snippet from the fix

inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)
reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)
call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)

For a complete look at the patches and changes in the kernel, please refer to the following original references:

[Another ref tracker warning][1]

In conclusion, the Linux kernel vulnerability CVE-2024-26865 was identified in the rds_tcp module, where a Use After Free (UAF) issue could occur. The issue has been resolved by adjusting global ehash, rds_tcp_listen_init(), and reqsk_timer_handler(). Always ensure that your system is running the latest kernel version to avoid such vulnerabilities.

[]: https://lkml.org/lkml/2021/9/22/341
[1]: https://lkml.org/lkml/2021/9/22/342
[2]: https://lkml.org/lkml/2021/9/22/343

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 05/29/2024 05:24:07 UTC