CVE-2024-27014 - Preventing deadlock in Linux kernel while disabling aRFS (Address Resolution Features)

In this post, we are going to discuss a vulnerability that was found and resolved in the Linux kernel. It is related to disabling the aRFS (Address Resolution Features) under certain conditions, which can cause a deadlock. The vulnerability is identified as CVE-2024-27014.

The Linux kernel is the core of the operating system that provides an interface between the hardware and software components of a system. It is critical to maintain the security and stability of the kernel, as vulnerabilities can lead to severe impacts such as data leakages, system crashes, and other potential threats.

The vulnerability: net/mlx5e - Deadlock while disabling aRFS

The vulnerability has been fixed in net/mlx5e, where an issue of deadlocking occurs while disabling the aRFS. When the aRFS is disabled under the priv->state_lock, any scheduled aRFS works are canceled using the cancel_work_sync function. This function waits for the work to end if it has already started. However, while waiting for the work handler, the handler will attempt to acquire the state_lock again, which is already acquired.

The worker's responsibility is not to delete the rules if the state is down since disabling aRFS deletes the rules. To address this issue, an aRFS state variable has been added, indicating whether the aRFS is enabled and preventing the addition of rules when the aRFS is disabled.

Kernel log for the issue can be found here.

Fixing the vulnerability

To address CVE-2024-27014, developers have added an aRFS state variable to the Linux kernel and made sure that rules are not added when the aRFS feature is disabled. The patch can be found here. This patch should be applied to the affected Linux distributions to avoid the deadlock issue while disabling aRFS.

It is important to keep up-to-date with security announcements regarding vulnerabilities in the kernel and apply the appropriate patches to ensure the stability and security of the system.

Conclusion

CVE-2024-27014 is a vulnerability that affected the Linux kernel, causing deadlocks when disabling aRFS. The issue has been resolved by adding an aRFS state variable and preventing the addition of rules when the feature is disabled. It is crucial to stay informed about these vulnerabilities and apply the patches to maintain the security and stability of your systems.

Timeline

Published on: 05/01/2024 06:15:20 UTC
Last modified on: 06/17/2024 17:46:06 UTC