CVE-2024-27013 - Limit Printing Rate in Linux Kernel Tun Device to Mitigate Soft Lockup Vulnerability

Summary:
A vulnerability in the Linux kernel's tun device has been resolved, which could lead to a soft lockup problem if too many illegal packets are received. The fix involves limiting the printing rate of packet contents using the net_ratelimit mechanism, as discussed in this post. We will provide details about the vulnerability, code snippets, and links to original references.

Introduction:
The Linux kernel's tun device is responsible for handling virtual TUN/TAP network devices. A vulnerability has been discovered wherein the tun device could be subjected to too many illegal packets. This might cause the tun_do_read function to repeatedly dump packet contents, leading to a soft lockup situation. A soft lockup is a state where the kernel is stuck in a high-priority task for a long time, causing other tasks to be delayed or stalled. Consequently, this can result in a system becoming unresponsive.

Details

The vhost_worker function is responsible for calling tun callbacks to receive packets. However, if too many illegal packets arrive, the tun_do_read function will keep dumping packet contents. This issue is particularly concerning when the console is enabled as it consumes significant CPU time to dump packets and eventually triggers the soft lockup detection.

To mitigate this issue, the net_ratelimit mechanism is deployed to limit the dumping rate. The net_ratelimit mechanism is an established technique in the Linux kernel to control the rate of messages printed to syslog/network.

Code Snippet

Below is the code snippet from the Linux kernel showing the implementation of the net_ratelimit mechanism in the tun device:

/* Adapted from net/core/utils.c */
#ifndef TUN_DEBUG
static inline
int tun_ratelimited(void)
{
       return net_ratelimit();
}
#else
extern int tun_ratelimited(void);
#endif

/* ... */

/* net/tun.c - tun_do_read function */
static ssize_t tun_do_read(struct tun_file *tfile, struct iov_iter *to,
                           bool noblock, size_t count)
{
       /* ... */
       switch (tun->flags & TUN_TYPE_MASK) {
       case TUN_TUN_DEV:
               /* ... */
               break;
       case TUN_TAP_DEV:
               // ...
               break;
       default:
               if (tun_ratelimited()) {
                       pr_err("%s: unknown device type %d\n",
                              tun->dev->name, tun->flags);
                       print_hex_dump(KERN_ERR, "data: ", DUMP_PREFIX_OFFSET,
                                      16, 1, skb->data, 20, true);
               }
               // ...
       }
       // ...
}

Original References

1. Linux Kernel Mailing List - original patch discussion of the issue
2. Linux Kernel 4.7 Release Notes - Linux Kernel 4.7 mentioning the patch
3. Linux Kernel Source - the actual commit that resolved the vulnerability in the Linux kernel source code

Conclusion

The vulnerability CVE-2024-27013 has been successfully addressed in the Linux kernel tun device. By limiting the printing rate when illegal packets are received, the risk of a soft lockup has been significantly reduced. The implementation of the net_ratelimit mechanism has mitigated the vulnerability and offers a more secure and stable environment for users.

Timeline

Published on: 05/01/2024 06:15:19 UTC
Last modified on: 07/05/2024 17:22:49 UTC