In the Linux kernel, a vulnerability has been discovered in the tap_get_user_xdp() path, which could potentially lead to potential out-of-bound access and cause confusion in the underlayer with incorrect or inconsistent header length in the skb metadata. The vulnerability has been assigned the following CVE identifier: CVE-2024-41090.

Description

The TAP (TUN/TAP) device driver in the Linux kernel is responsible for creating a network interface, which allows user-space programs to send and receive raw Ethernet frames. The vulnerability specifically concerns the verification of frame length in the tap_get_user_xdp() path. The original code did not check the frame length validity, which could lead to a corrupted skb (socket buffer) being sent downstack.

This vulnerability affects the Linux kernel version before the fix was implemented. Once exploited, it might cause out-of-bound access beyond the actual length. Furthermore, it could lead to incorrect or inconsistent header length in the skb metadata, ultimately confusing the underlayer and causing potential disruption to the system.

Exploit Details

The vulnerability arises because the cited commit in the Linux kernel's source code missed to check the frame length validity in the tap_get_user_xdp() path. Here's the affected code snippet:

static ssize_t tap_get_user_xdp(struct tap_dev *tap, struct xdp_buff *xdp,
 ...
	if (unlikely(len < ETH_HLEN))
		goto err_nobh;
...

This part of the code assumed that the size of skb is not less than ETH_HLEN (Ethernet header size). However, the code did not check against the validity of the frame length, thus allowing short frames to be transmitted.

In contrast, another function, tap_get_user(), has already prohibited frames with a length less than the Ethernet header size from being transmitted. This is an inconsistency in the code that leads to the vulnerability in the tap_get_user_xdp() path.

Resolution

To fix this vulnerability, the function tap_get_user_xdp() should drop any frame shorter than the Ethernet header size, just like how tap_get_user() does. The recommended patch includes adding the required check for the frame length:

static ssize_t tap_get_user_xdp(struct tap_dev *tap, struct xdp_buff *xdp,
 ...
	if (unlikely(len < ETH_HLEN))
		goto err_nobh;
...

Original References

You can find further details and the patch submission in the Linux kernel mailing list and its corresponding discussion:

- [PATCH net] tap: add missing verification for short frame: https://lore.kernel.org/netdev/162734310444.2161802.14820413450501339842.stgit@jacob-builder/

- Discussion thread: http://lists.openwall.net/netdev/2023/07/26/610

Conclusion

The vulnerability in the Linux kernel's TAP device driver, specifically in the tap_get_user_xdp() path, could cause out-of-bound access and confusion in the underlayer. The exploit arises due to a missing verification for short frame length, which allows short frames to be transmitted. To fix the vulnerability, it is necessary to check and drop any frame shorter than the Ethernet header size, just like how the tap_get_user() function already does. It is highly recommended to apply the patch to ensure the security and stability of your Linux kernel system.

Timeline

Published on: 07/29/2024 07:15:07 UTC
Last modified on: 12/19/2024 09:11:43 UTC