CVE-2024-41091: Linux Kernel Tun Vulnerability - Missing Verification for Short Frame

A notable vulnerability, CVE-2024-41091, has been discovered and resolved in the Linux kernel. This vulnerability is related to the 'tun' (virtual network device) component, and it involves a missing verification for short frame lengths. The issue could potentially lead to out-of-bound access or confusion in the underlying layers due to incorrect or inconsistent header lengths in the skb (socket buffer) metadata.

Details

The Linux kernel implements virtual network devices known as 'tun', which can be used for Network layer (Layer 3) and Data Link layer (Layer 2) traffic. The vulnerability arises when dealing specifically with the 'tun_xdp_one()' path, as it fails to check against the validity of the frame length.

In simpler terms, the issue could allow a corrupted skb to be sent down the stack, leading to possible undesirable consequences. Even before transmission, the ‘tun_xdp_one’ function may access the Ethernet header, which can potentially be less than the standard Ethernet header length (ETH_HLEN). After transmission, the underlying layers may become confused or face out-of-bound access issues due to wrong or inconsistent header lengths specified in the skb metadata.

The alternative path, namely 'tun_get_user()' function, prohibits frames that are shorter than the Ethernet header size for 'IFF_TAP' mode. However, this verification has been missed in the 'tun_xdp_one()' path. To address this problem, the Linux kernel developers have added a patch to drop frames that are shorter than the Ethernet header size, similar to the functionality of the 'tun_get_user()' function.

Original References

1. Linux kernel source code repository
2. CVE-2024-41091 vulnerability details

Code Snippet

A patch has been applied to the Linux kernel to fix this vulnerability. The updated code snippet from the 'tun.c' file is provided below:

static int tun_xdp_one(struct tun_struct *tun, struct tun_file *tfile,
                        struct xdp_buff *xdp)
{
    ...
    if (unlikely(len < ETH_HLEN)) {
        /* Drop frames shorter than the Ethernet header length */
        dev->stats.tx_dropped++;
        goto unlock;
    }
    ...
}

Exploit Details

To exploit this vulnerability, an attacker would need to send a specially crafted packet with incorrect frame length to the virtual network device ('tun'). This could potentially cause out-of-bound access or confuse the underlying layers, leading to undefined behavior or even crashes. However, it is worth noting that exploiting this vulnerability requires local access to the affected system.

Conclusion

Linux kernel developers have effectively put an end to the CVE-2024-41091 vulnerability by implementing the missing verification for short frames in the 'tun_xdp_one()' path. This ensures that any frame shorter than the Ethernet header size will be dropped, safeguarding the underlying layers and preventing out-of-bound access or undesired behavior. It is advisable for users and administrators to keep their Linux kernels up-to-date to prevent potential exploitation of this vulnerability.

Timeline

Published on: 07/29/2024 07:15:07 UTC
Last modified on: 09/15/2024 17:52:15 UTC