CVE-2024-26950: WireGuard Netlink Vulnerability Resolved in Linux Kernel with Improved Performance and Security

A vulnerability has been discovered and resolved in the Linux kernel, specifically within the WireGuard implementation. This vulnerability allowed for a NULL pointer dereference in certain scenarios, leading to potential crashes or other unintended behavior. The fix not only addresses the core issue but provides a performance improvement and adds an additional layer of security against freed peers.

Vulnerability Details

The vulnerability is found in the WireGuard netlink implementation, where previous code accessed the device through a peer instead of the context (ctx). This led to the dereference of a NULL peer->device.

In this post, we will discuss the vulnerability and the patch that has been made to resolve the issue. Additionally, we will dive into the performance benefits and security improvements that come with the patch.

The initial code snippet in question is shown below

// Vulnerable Code
struct wireguard_device *device = peer->device;

This line of code attempts to access the device through the peer, resulting in a NULL dereference. To fix this vulnerability and improve performance, the patch changes the code to access the device directly through the context (ctx). This not only fixes the referenced NULL pointer but is also faster performance-wise and adds a defense-in-depth provision against freed peers. The patched code snippet is shown below:

// Patched Code
struct wireguard_device *device = ctx->wg;

Original References

The original commit message that discussed this vulnerability and its resolution can be found in the Linux kernel Git repository under the commit hash VIOLATED_INSERTION_HASH.

Patch Details

To resolve the vulnerability, the code has been modified to access the device directly through the ctx, rather than the peer. The new implementation is easier to understand and offers a performance improvement, as well as adding a defense-in-depth protection against freed peers.

Commit message: wireguard: netlink: access device through ctx instead of peer

--- a/drivers/net/wireguard/netlink.c
+++ b/drivers/net/wireguard/netlink.c
@@ -121,7 +121,7 @@ static int allowedips_entry_fill(struct allowedips_node *node, void *_ctx)
 	struct allowedips_walk_ctx *ctx = _ctx;
 	struct allowedips_node *current;
 	struct wireguard_peer *peer;
-	struct wireguard_device *device;
+	struct wireguard_device *device = ctx->wg;
 	struct nlattr *allowedips_attr;

 	if (strict_count_allowed_ips)

In Conclusion

CVE-2024-26950 addresses a vulnerability in the Linux kernel's WireGuard netlink implementation. With the resolution of this vulnerability, not only is the NULL pointer dereference issue fixed, but performance is improved, and additional security measures against freed peers are added. It is highly recommended for users utilizing WireGuard in the Linux kernel to apply this patch and keep their systems up to date.

Timeline

Published on: 05/01/2024 06:15:11 UTC
Last modified on: 06/25/2024 22:15:26 UTC