An important vulnerability in the Linux kernel known as CVE-2024-26921 has been recently resolved. The kernel's inet (internet) module has been updated with a fix for the inet_defrag() function, which prevents the socket (sk) from being released while it's still being used. This vulnerability could have resulted in the corruption of data and potentially expose security vulnerabilities for users.
Description
This vulnerability affects skb (socket buffer) fragments reassembled via netfilter or similar modules, such as openvswitch or ct_act.c, when run as part of the tx (transmission) pipeline. The issue was discovered by Eric Dumazet during his analysis of the Linux kernel. According to Eric, the use of ip_defrag() in the output path implied skb_orphan() which was buggy because the output path relied on sk not disappearing, causing issues with downstream packet management.
Resolution
Eric Dumazet suggested to stash the sk in the fragment queue and made an initial patch, which was later modified. The patch moves orphaning down into the core, to the last possible moment, which addresses the problem of sk being triggered prematurely during skb reassembly.
By moving the offset into the FRAG_CB, skb->sk is no longer clobbered. This allows for delaying the orphaning long enough to learn if the skb has to be queued, or if the skb is completing the reassembly queue. In the former case, things work as before, skb is orphaned and safe due to the queueing. In the latter case, the sk reference is stolen and reattached to the head skb, fixing the wmem (write memory) accounting when inet_frag inflates truesize.
References
Here are some useful links to learn more about this vulnerability, its analysis, and how it has been resolved:
1. Linux kernel source detailing the vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8282f27449bf
2. Eric Dumazet's discussion and analysis of the bug: https://lore.kernel.org/netdev/20171221051522.84173-1-edumazet@google.com/
3. inet: frag: Always orphan skbs inside ip_defrag() patch: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=860dabdb7adc
4. Patch addressing the vulnerability and moving the offset into FRAG_CB: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce4b7af2235
Exploit Details
The vulnerability arises from the skb->sk being released prematurely while it's still being used. This could lead to data corruption and potential security vulnerabilities, especially in situations where skb fragments are reassembled via netfilter or similar modules. The patch released to resolve this issue moves orphaning to the last possible moment, ensuring that skb will not be released before it's safe to do so.
Timeline
Published on: 04/18/2024 10:15:07 UTC
Last modified on: 05/29/2024 05:25:03 UTC