A new vulnerability, identified as CVE-2024-27396, has been discovered and resolved in the Linux kernel's 'net:gtp' subsystem. This exploit involves a Use-After-Free (UAF) flaw in the 'gtp_dellink' function. In this post, we will provide a detailed explanation of the vulnerability, its impact, and the solution implemented to fix the issue. We will also include code snippets, links to original references, and other crucial exploit-related information.
Exploit Details
The issue resides in the 'net:gtp' subsystem of the Linux kernel, specifically in the 'gtp_dellink' function. The following code snippet showcases the problematic part of the function:
hlist_for_each_entry_rcu(gtp, >p_dev->gsn->gtp_gs_list, gsn_list) {
/* ... */
call_rcu(...)
/* ... */
}
The problem occurs due to the use of 'call_rcu' in the hlist_for_each_entry_rcu traversal. The 'call_rcu' method is not part of the RCU read critical section. Consequently, it is possible that the RCU grace period will pass during the traversal, leading to the key being freed.
This UAF vulnerability could potentially be exploited by an attacker to gain unauthorized access to sensitive information, inject malicious code, or execute other malicious actions.
Solution
In order to fix the vulnerability, the 'hlist_for_each_entry_rcu' should be changed to 'hlist_for_each_entry_safe'. The updated code snippet should look like this:
hlist_for_each_entry_safe(gtp, tmp, >p_dev->gsn->gtp_gs_list, gsn_list) {
/* ... */
call_rcu(...)
/* ... */
}
By changing the method, the RCU grace period-related issue is resolved, and the UAF flaw no longer remains exploitable.
References
1. Linux Kernel Mailing List - Patch Submission
2. CVE-2024-27396 - National Vulnerability Database
Conclusion
The resolution of CVE-2024-27396 demonstrates the importance of vigilance and timely patching in the world of cybersecurity. By understanding and sharing information about such vulnerabilities and their solutions, we can help make the digital world a safer place for everyone. Ensure that your Linux kernel version has this fix implemented, and stay updated on other security-related announcements to protect your systems from potential threats.
Timeline
Published on: 05/14/2024 15:12:27 UTC
Last modified on: 06/27/2024 12:15:24 UTC