In the Linux kernel, a significant vulnerability (CVE-2024-36905) has been discovered and fixed, which affects the tcp_shutdown() function when dealing with TCP_SYN_RECV sockets. This vulnerability could lead to potential crashes and security risks. In this post, we will go through the details of this vulnerability and the patch provided to resolve the issue.

This vulnerability is found in the Linux kernel under the following section

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

TCP_SYN_RECV state is really special and is only used by cross-syn connections, mostly by fuzzers. syzbot managed to cause a crash [1] by triggering a divide error by zero in the tcp_rcv_space_adjust() function.

The affected socket goes through the following state transitions without ever calling tcp_init_transfer() or tcp_init_buffer_space():

TCP_CLOSE

connect()

TCP_SYN_RECV

shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)

The Resulting Patch

To address this vulnerability, the patch provided changes tcp_shutdown() so that it does not perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition. This transition does not make sense in any case.

Instead, when tcp_rcv_state_process() later changes the socket state from TCP_SYN_RECV to TCP_ESTABLISH, it checks the sk->sk_shutdown flag to determine if the socket should enter the TCP_FIN_WAIT1 state. If the flag is set, the socket is transitioned to TCP_FIN_WAIT1 and a FIN packet is sent from a sane socket state.

With this change, tcp_send_fin() can now be called from BH (Bottom Half) context and must use GFP_ATOMIC allocations.

Reference to the original crash [1]

CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.-rc6-syzkaller-00022-g98369dccd2f8 #
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
....


This patch resolves the vulnerability and prevents any potential crashes and security risks associated with the issue.

Conclusion

The Linux Kernel developers have addressed the CVE-2024-36905 vulnerability that affected the tcp_shutdown() function when handling TCP_SYN_RECV sockets. The patch provided prevents the problematic state transition and ensures that the FIN packet is sent in a sane socket state. By addressing this vulnerability, the Linux kernel is now more robust and secure against potential exploits and crashes.

Timeline

Published on: 05/30/2024 16:15:14 UTC
Last modified on: 07/03/2024 02:03:47 UTC