In the Linux kernel, a vulnerability has been detected and resolved, which is related to Xen-netfront. The vulnerability is identified as CVE-2024-27393 and revolves around a missing call to skb_mark_for_recycle(). This long read post will provide a detailed analysis of the issue, links to original references, the code snippet, and the exploitation details.
Code Snippet
static void xennet_release_rx_bufs(struct netfront_queue *queue)
{
struct sk_buff *skb;
skb_queue_walk_safe(&queue->rx_queue, skb, tmp) {
struct skb_shared_info *shinfo = skb_shinfo(skb);
if (xb_state_mismatch(queue, shinfo->frags, idx_to_pfn(i),
shinfo->nr_frags - 1))
continue;
__skb_unlink(skb, &queue->rx_queue);
queue->stats.rx_no_waits++;
kfree_skb(skb);
}
}
Original References
1. Linux kernel source: https://github.com/torvalds/linux
2. Xen-netfront issue: https://lwn.net/Articles/834787/
3. Commit 6a5bcd84e886: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6a5bcd84e886
4. Commit 535b9c61bdef: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=535b9c61bdef
Exploit Details
The vulnerability was due to a missing call to skb_mark_for_recycle() in the Xen-netfront driver. skb_mark_for_recycle() was introduced to the Linux kernel later than the commit tagged as 6a5bcd84e886, which contained the fixes for the "page_pool: Allow drivers to hint on SKB recycling" issue. It is believed that this missing call remained in the Linux kernel versions 5.9 to 5.14.
The call to page_pool_release_page() was removed in the commit 535b9c61bdef (net: page_pool: hide page_pool_release_page()) and the remaining callers were converted in the commit 6bfef2ec0172 (Merge branch 'net-page_pool-remove-page_pool_release_page'). The leak became visible in version 6.8 via commit dba1b8a7ab68 (mm/page_pool: catch page_pool memory leaks).
Resolution
The vulnerability has been addressed by adding the missing skb_mark_for_recycle() function call as needed.
Conclusion
CVE-2024-27393 is a vulnerability in the Linux kernel connected to the Xen-netfront driver. The issue was caused by a missing call to skb_mark_for_recycle(), leading to memory leaks in certain kernel versions. The vulnerability has been resolved, and proper implementation of the function ensures improved kernel stability and security.
Timeline
Published on: 05/14/2024 15:12:26 UTC
Last modified on: 11/04/2024 19:35:07 UTC