CVE-2024-26865: Linux Kernel Vulnerability Fixed in rds_tcp Module
A recently identified vulnerability in the Linux kernel (CVE-2024-26865) specifically affects the rds_tcp module and has since been resolved. This post will outline the details of the vulnerability, a code snippet, and links to original references for those who would like to investigate further.
netns is dismantled. [] (ref_tracker: net notrefcnt@0000000065449cc3)
5. reqsk timer is fired, and UAF (Use After Free) happens while freeing reqsk. [1] (BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop)
listener is freed after RCU (Read-Copy-Update) grace period. [2]
Essentially, the allocation of memory resources for a socket in the RDS_TCP_PORT can lead to a Use After Free (UAF) situation. This occurs when a program continues to use a memory resource after it has been freed.
To fix this issue, a similar approach as that in commit 740ea3c4ab2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") was applied. Let's examine the steps for resolving this issue in detail:
Here is a code snippet from the fix
inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)
reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)
call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
For a complete look at the patches and changes in the kernel, please refer to the following original references:
[Another ref tracker warning][1]
In conclusion, the Linux kernel vulnerability CVE-2024-26865 was identified in the rds_tcp module, where a Use After Free (UAF) issue could occur. The issue has been resolved by adjusting global ehash, rds_tcp_listen_init(), and reqsk_timer_handler(). Always ensure that your system is running the latest kernel version to avoid such vulnerabilities.
[]: https://lkml.org/lkml/2021/9/22/341
[1]: https://lkml.org/lkml/2021/9/22/342
[2]: https://lkml.org/lkml/2021/9/22/343
Timeline
Published on: 04/17/2024 11:15:09 UTC
Last modified on: 12/19/2024 08:48:59 UTC