CVE-2024-26951: Linux Kernel Vulnerability in WireGuard Netlink Resolved

In a recent security update, the Linux Kernel team has addressed a vulnerability (CVE-2024-26951) in the WireGuard networking protocol implementation. WireGuard is a cutting-edge VPN (Virtual Private Network) protocol used widely for its simplicity, high-performance, and strong security.

The issue was found in the WireGuard netlink code, specifically in the handling of peer removal. The vulnerability could have potentially caused a use-after-free error, leading to instability and security concerns. The full details of the patch can be found in this commit: wireguard: netlink: check for dangling peer via is_dead instead of empty list.

The issue was triggered by the following sequence of events

1. When all peers were removed using wg_peer_remove_all(), instead of setting peer_list to empty, the peer was added to a temporary list with a head on the stack of wg_peer_remove_all().
2. When a netlink dump was resumed and the cursor-ed peer was one that had been removed with wg_peer_remove_all(), the system would iterate from that peer and then attempt to dump freed peers.

To resolve this problem, the patch instead checks for the peer->is_dead variable, which was explicitly created for this purpose. Additionally, it also moves up the device_update_lock lockdep assertion, as reading is_dead relies on that.

The issue could be reproduced by a script like this

echo "Setting config..."
ip link add dev wg type wireguard
wg setconf wg /big-config
(
        while true; do
                echo "Showing config..."
                wg showconf wg > /dev/null
        done
) &
sleep 4
wg setconf wg <(printf "[Peer]\nPublicKey=$(wg genkey)\n")

When the script was executed, it resulted in the following error

BUG: KASAN: slab-use-after-free in __lock_acquire+x182a/x1b20
Read of size 8 at addr ffff88811956ec70 by task wg/59
CPU: 2 PID: 59 Comm: wg Not tainted 6.8.-rc2-debug+ #5
Call Trace:
 <TASK>
 dump_stack_lvl+x47/x70
 print_address_description.constprop.+x2c/x380
 print_report+xab/x250
 kasan_report+xba/xf
 __lock_acquire+x182a/x1b20
 lock_acquire+x191/x4b
 down_read+x80/x440
 get_peer+x140/xcb
 wg_get_device_dump+x471/x113

This patch resolves the issue and ensures a safer and more stable experience for WireGuard users. It is highly recommended to update your Linux Kernel to the latest version to incorporate this security fix. For more information on the WireGuard project, visit their official website: https://www.wireguard.com/

Timeline

Published on: 05/01/2024 06:15:11 UTC
Last modified on: 06/25/2024 22:15:26 UTC