In the Linux kernel, a vulnerability has been detected and resolved, which is related to Xen-netfront. The vulnerability is identified as CVE-2024-27393 and revolves around a missing call to skb_mark_for_recycle(). This long read post will provide a detailed analysis of the issue, links to original references, the code snippet, and the exploitation details.

Code Snippet

static void xennet_release_rx_bufs(struct netfront_queue *queue)
{
    struct sk_buff *skb;

    skb_queue_walk_safe(&queue->rx_queue, skb, tmp) {
        struct skb_shared_info *shinfo = skb_shinfo(skb);

        if (xb_state_mismatch(queue, shinfo->frags, idx_to_pfn(i),
                              shinfo->nr_frags - 1))
            continue;

        __skb_unlink(skb, &queue->rx_queue);
        queue->stats.rx_no_waits++;
        kfree_skb(skb);
    }
}

Original References

1. Linux kernel source: https://github.com/torvalds/linux
2. Xen-netfront issue: https://lwn.net/Articles/834787/
3. Commit 6a5bcd84e886: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6a5bcd84e886
4. Commit 535b9c61bdef: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=535b9c61bdef

Exploit Details

The vulnerability was due to a missing call to skb_mark_for_recycle() in the Xen-netfront driver. skb_mark_for_recycle() was introduced to the Linux kernel later than the commit tagged as 6a5bcd84e886, which contained the fixes for the "page_pool: Allow drivers to hint on SKB recycling" issue. It is believed that this missing call remained in the Linux kernel versions 5.9 to 5.14.

The call to page_pool_release_page() was removed in the commit 535b9c61bdef (net: page_pool: hide page_pool_release_page()) and the remaining callers were converted in the commit 6bfef2ec0172 (Merge branch 'net-page_pool-remove-page_pool_release_page'). The leak became visible in version 6.8 via commit dba1b8a7ab68 (mm/page_pool: catch page_pool memory leaks).

Resolution

The vulnerability has been addressed by adding the missing skb_mark_for_recycle() function call as needed.

Conclusion

CVE-2024-27393 is a vulnerability in the Linux kernel connected to the Xen-netfront driver. The issue was caused by a missing call to skb_mark_for_recycle(), leading to memory leaks in certain kernel versions. The vulnerability has been resolved, and proper implementation of the function ensures improved kernel stability and security.

Timeline

Published on: 05/14/2024 15:12:26 UTC
Last modified on: 11/04/2024 19:35:07 UTC