CVE CyberSecurity Database News

CVE-2024-36938: Mitigation of NULL Pointer Dereference Vulnerability in Linux Kernel's sk_psock_skb_ingress_enqueue

Poster -

A recent vulnerability found in the Linux kernel deserves attention in systems relying on the kernel for resource management and network communication. This post discusses the vulnerability and the corresponding fix committed to the Linux kernel in order to address it.

Vulnerability

The vulnerability, assigned CVE-2024-36938, involves a NULL pointer dereference problem in the function sk_psock_skb_ingress_enqueue() within the kernel. According to the syzbot error report [1], this issue is caused by data races when writing and reading memory addresses.

Cause

The problem was identified as a lack of proper protection for the saved_data_ready during simultaneous access by both reader and writer. Previously, commit 4cd12c6065df [2] fixed a similar issue, but failed to address the root cause, leaving the system open to further data races.

Solution

To mitigate the vulnerability, sk_callback_lock read lock was used to protect the saved_data_ready value in the sk_psock_data_ready() function. Moreover, John Fastabend suggested moving the pairs of lock into sk_psock_data_ready() to avoid potential errors in the future.

The code fix is implemented in the Linux kernel's net/core/skmsg.c file

// Function sk_psock_data_ready()
{
    ...
    read_lock(&sk->sk_callback_lock);
    if (!psock)
    {
        psock->orig_ingress_data_ready(sk);
        read_unlock(&sk->sk_callback_lock);
        return;
    }
    read_unlock(&sk->sk_callback_lock);
    ...
}

Conclusion

The Linux kernel developers have applied a fix to mitigate the NULL pointer dereference vulnerability found in the sk_psock_skb_ingress_enqueue function. This post provides a brief overview of the vulnerability, the root cause, and the solution implemented to address it. Commit 4cd12c6065df and the subsequent improvements ensure that the Linux kernel remains secure and stable in handling concurrent network communication tasks.

References

1. BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue
2. bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()

Timeline

Published on: 05/30/2024 16:15:16 UTC
Last modified on: 07/29/2024 07:15:03 UTC