A new vulnerability, identified as CVE-2024-27064, has been discovered in the Linux kernel affecting its netfilter component. Specifically, the vulnerability exists in the nf_tables_updchain function, and if left unpatched, could result in a memory leak. In this post, we will dive into the details of the vulnerability, provide code snippets to understand the issue, and discuss how to mitigate the risk.

Vulnerability Overview

The vulnerability resides in netfilter, a component within the Linux kernel responsible for filtering and manipulating network packets. In particular, the memory leak is caused by a failure in the nft_netdev_register_hooks() function, which can result in a situation where the memory associated with nft_stats is not properly freed.

To resolve this issue, a patch has been introduced to move the nft_stats_alloc() function after the successful execution of nft_netdev_register_hooks().

Understanding the Code Snippet

In the following code snippet, we can observe how the issue is addressed in the Linux kernel's source code:

Previous code causing the issue

static int nft_netdev_event(struct notifier_block *this, unsigned long event,
 void *ptr)
 {
    struct net_device *dev = netdev_notifier_info_to_dev(ptr);
    struct nft_stats *nft_stats;
    int err;

    if (event != NETDEV_REGISTER)
        return NOTIFY_DONE;

    nft_stats = nft_stats_alloc(dev);
    if (IS_ERR(nft_stats))
        return NOTIFY_DONE;

    err = nft_netdev_register_hooks(dev);
    if (err) {
        /* Memory leak occurs here */
        return NOTIFY_DONE;
    }
    
    ...
}

In this code snippet, we can see that the nft_stats_alloc() function is called before the execution of nft_netdev_register_hooks(). However, if nft_netdev_register_hooks() fails, the memory leak occurs, as the memory associated with nft_stats is not freed.

Patch to fix the issue

static int nft_netdev_event(struct notifier_block *this, unsigned long event,
 void *ptr)
 {
    struct net_device *dev = netdev_notifier_info_to_dev(ptr);
    struct nft_stats *nft_stats;
    int err;

    if (event != NETDEV_REGISTER)
        return NOTIFY_DONE;

    err = nft_netdev_register_hooks(dev);
    if (err) {
        /* Memory leak fixed */
        return NOTIFY_DONE;
    }

    nft_stats = nft_stats_alloc(dev);
    if (IS_ERR(nft_stats))
        return NOTIFY_DONE;

    ...
}

In the patched code snippet, nft_stats_alloc() is now moved to execute after the successful return of the nft_netdev_register_hooks() function, which prevents the memory leak.

Exploit Details:
While there is currently no known exploit in the wild for this specific vulnerability, it is important for users to apply the necessary patch to their systems to avoid potential future attacks. This memory leak could potentially be abused by an attacker to exhaust resources on the targeted system, which may result in various undesirable outcomes such as crashes or a degraded system performance.

Original References:
For more information on the Linux kernel's treatment of this vulnerability, please refer to the official Linux kernel commit that introduced the patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=70d308dedbfaf91ce86ac881bbd29e033ea984

Additional information about the netfilter component and nf_tables can be found at the following resources:
1. Netfilter project homepage: https://www.netfilter.org/
2. nf_tables documentation: https://wiki.nftables.org

Conclusion

CVE-2024-27064 is a memory leak vulnerability in the nf_tables_updchain function of the Linux kernel's netfilter component. By applying the patch, which moves the nft_stats_alloc() function to occur after the successful execution of nft_netdev_register_hooks(), the memory leak is fixed, and the risk of exploit is mitigated. It is essential for users to ensure their systems are patched to protect against potential attacks leveraging this vulnerability.

Timeline

Published on: 05/01/2024 13:15:50 UTC
Last modified on: 11/21/2024 09:03:47 UTC