CVE-2024-41010: Linux Kernel Vulnerability in bpf Resolved - Fix for Too Early Release of tcx_entry

In the Linux kernel, a critical vulnerability has been found and resolved that affects the Berkeley Packet Filter (bpf) system. Pedro Pinto first identified the issue and, independently, Hyunwoo Kim and Wongi Lee also reported the problem. The vulnerability, assigned the identifier CVE-2024-41010, involves the too early release of the tcx_entry, which can lead to a use-after-free (UAF) scenario. This can occur when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance.

Attach chain to the tcf block

4. Create and graft a clsact qdisc, causing the ingress qdisc created in step 1 to be removed and the tcx_entry to be freed

Close the network namespace, triggering the UAF during the clsact qdisc release

To better understand the vulnerability and its implications, you can find the original reference to the issue here.

The fix for this issue involves changing the miniq_active boolean into a reference counter. With this modification in place, the tcx_entry will be freed at the appropriate time and will prevent the use-after-free scenario from occurring.

Here's a code snippet of the fix implementation

// In the Linux kernel header file, replace the miniq_active boolean with an integer counter
int miniq_ref;

// When adjusting the reference counter, make sure to increment and decrement it properly
miniq_ref++;

// Perform the check for releasing the tcx_entry
if (miniq_ref == ) {
    tcx_entry_free(tcx_entry);
}

In conclusion, the Linux kernel vulnerability CVE-2024-41010 involving the bpf system has been resolved by modifying the miniq_active boolean into a reference counter. This fix ensures that tcx_entry is no longer released too early, preventing use-after-free scenarios and improving overall security and stability in the Linux kernel.

If you are running a Linux kernel version affected by this vulnerability, it is recommended to apply the patch as soon as possible. You can find more information and guidance on how to apply the patch by visiting the Linux Kernel Mailing List archive.

Timeline

Published on: 07/17/2024 07:15:02 UTC
Last modified on: 07/19/2024 15:24:59 UTC