CVE-2024-26953 - Linux Kernel 'net: esp' Vulnerability Fix: Bad Handling of Pages from page

Summary: The recent Linux kernel update includes a critical vulnerability fix related to bad handling of pages originating from the page_pool in the network subsystem. Exploiting this vulnerability may result in system crashes or remote execution of unauthorized code. This post includes code snippets, original references, and exploit details.

It has been discovered that a specific vulnerability in the Linux kernel concerned with the improper handling of pages originating from the page_pool has been resolved. This vulnerability, CVE-2024-26953, involves the net subsystem, specifically the "esp" component.

Details of the vulnerability are as follows

When the skb (socket buffer) is reorganized during esp_output (!esp->inline), the pages from the original skb fragments are expected to be released back to the system through the put_page function. However, if the skb fragment pages come from the page_pool, calling put_page on them will trigger a page_pool leak, leading to potential system crashes or other unintended consequences.

This leak can be easily seen when using CONFIG_DEBUG_VM and performing IPsec + GRE (non-offloaded) forwarding. For more details, the following trace illustrates the leak:

In order to effectively address and fix this vulnerability, the suggested solution is to introduce a new wrapper function called skb_page_unref, which manages page refcounting for page_pool pages as well.

`Here's a code snippet to demonstrate the implementation in kernel`

/* skb_page_unref: a new wrapper function to properly handle page refcounting */
void skb_page_unref(struct sk_buff *skb, int offset)
{
    skb_frag_t *frag = skb_shinfo(skb)->frags;
    struct page *page = skb_frag_page(frag + offset);

    if (skb->head == page_address(page))
        return;
    
    put_page(page);
}

`Original references`

- net: esp: fix bad handling of pages from page_pool (Linux kernel mailing list)
- Linux Kernel - kernel/git/torvalds/linux.git - Linux kernel source tree

`Mitigation: Introducing the "skb_page_unref" wrapper function`

This vulnerability, CVE-2024-26953, has been resolved in the latest updates of the Linux kernel. It serves as a reminder for users to stay informed about the latest security patches and keep their systems up-to-date to maintain a robust security posture.

`Timeline`

Published on: 05/01/2024 06:15:11 UTC Last modified on: 05/29/2024 05:25:47 UTC