CVE-2024-42082 - Resolved Linux Kernel Vulnerability: Removing WARN() from __xdp_reg_mem_model()

In the Linux kernel, a vulnerability has been identified and resolved relating to the xdp subsystem. Specifically, the issue originates in the __xdp_reg_mem_model() function, which exhibits a warning as observed by syzkaller. This post will provide an overview of the vulnerability, a code snippet illustrating the issue, and details on the exploit.

Vulnerability Overview

When calling __xdp_reg_mem_model(), syzkaller reports a warning. This occurs only if __mem_id_init_hash_table() returns an error. There are two situations where this error might appear:

Memory allocation fails

2. rhashtable_init() fails when some fields of the rhashtable_params struct are not initialized properly

Since there exists a static const rhashtable_params struct with valid fields, the second case is impossible. Therefore, only memory allocation issues can trigger the warning. In this case, using WARN() to handle the error is pointless, so it can be safely removed.

Code snippet for the vulnerable function

WARNING: CPU:  PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+x2d9/x650 net/core/xdp.c:299

CPU:  PID: 5065 Comm: syz-executor883 Not tainted 6.8.-syzkaller-05271-gf99c5f563c17 #
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 001:__xdp_reg_mem_model+x2d9/x650 net/core/xdp.c:299

Exploit Details

The exploit relies on triggering the warning in __xdp_reg_mem_model(). By forcing memory allocation to fail, an attacker can cause the warning to appear, leading to potential further issues.

It should be noted that the vulnerability has limited impact given that the warning only occurs when there is a problem with memory allocation. However, proper handling of the error is necessary to reduce potential harm.

Resolution

To address the vulnerability, it's suggested to remove the WARN() call from __xdp_reg_mem_model(). As it only triggers when there is a problem with memory allocation, its removal should not impact normal kernel operations.

The vulnerability was found by the Linux Verification Center (linuxtesting.org) using syzkaller. The original references related to the issue can be found here:

1. Linux kernel issue tracker: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f99c5f563c17
2. Syzkaller: https://github.com/google/syzkaller

It is recommended to keep your Linux kernel updated to the latest version available to ensure the most recent vulnerability fixes and security improvements are applied.

Timeline

Published on: 07/29/2024 16:15:07 UTC
Last modified on: 07/30/2024 19:04:15 UTC