CVE-2024-26898 - Resolving Use-After-Free Vulnerability (CVE-2023-627) in the Linux Kernel AoE Driver

In recent updates to the Linux kernel, a critical vulnerability has been resolved that addresses a use-after-free issue in the ATA over Ethernet (AoE) driver. The problem was found in the aoecmd_cfg_pkts() function in the kernel, which was responsible for updating the reference count on a struct net_device improperly. By racing between freeing the struct and accessing it through the global skbtxq queue, attackers could potentially trigger a denial of service (DoS) or execute malicious code on the system.

The original references for this issue can be found in the Common Vulnerabilities and Exposures (CVE) database as CVE-2023-627.

To address this vulnerability, a patch has been developed that modifies the aoecmd_cfg_pkts() function to prevent the use-after-free from occurring. This patch removes the dev_put(ifp) call in the function's success path, ensuring that it is not called prematurely and causing a use-after-free condition. Instead, dev_put() is added after the skb xmit within the tx() function.

Here's the code snippet of the patch that resolves this vulnerability

--- a/drivers/block/aoe/aoecmd.c
+++ b/drivers/block/aoe/aoecmd.c
@@ -1053,7 +1053,7 @@ aoecmd_cfg_pkts(struct aoetgt *t, struct list_head *head)
-		if (n <  || test_and_set_bit(, &skb->users)) {
+		if (n <  || test_and_set_bit(, &skb->users))
 			dev_put(ifp);
-		else
+		else
 			list_add_tail(&skb->queue, &skbqueue);

--- a/drivers/block/aoe/aoeblk.c
+++ b/drivers/block/aoe/aoeblk.c
@@ -177,6 +177,8 @@ tx(struct aoedev *d)
		n = aoehdr_atainit(d);
 		if (n != )
 			break;
 		/* only count it for successful xmit */
+
+		dev_put(dev);

By implementing this patch, developers can protect their Linux-based systems from potential attacks exploiting the use-after-free vulnerability (CVE-2023-627) in the AoE driver. It's essential to keep your Linux kernel up-to-date and apply security patches as they become available to mitigate the risk of vulnerabilities and ensure the ongoing security of your systems.

Timeline

Published on: 04/17/2024 11:15:10 UTC
Last modified on: 07/22/2024 14:55:25 UTC