CVE-2024-42083: Fixing Kernel Panic in the Linux Kernel due to Multi-Buffer Handling in ionic_run_xdp()

A vulnerability identified as CVE-2024-42083 was found in the Linux kernel, specifically within the ionic_run_xdp() function. This function failed to properly handle multi-buffer packets which led to kernel panic issues. This post provides an overview of the vulnerability, its impact, and the fix implemented to resolve the issue.

Vulnerability Details

In the Linux kernel, ionic_run_xdp() is a function responsible for handling multi-buffer packets for XDP_TX and XDP_REDIRECT. However, it has been found to not handle these packets properly when it comes to jumbo frames.

When a jumbo frame is received, the ionic_run_xdp() function first creates an xdp frame with all the necessary pages in the rx descriptor. If the action is either XDP_TX or XDP_REDIRECT, it should unmap the dma-mapping and reset page pointers to NULL for all pages. However, this is not applied for SG pages, and the SG pages are unexpectedly reused, leading to kernel panic.

Original References: Link 1, Link 2

When the mentioned vulnerability is exploited, it causes a kernel panic with the message

Oops: general protection fault, probably for non-canonical address x504f4e4dbebc64ff: 000 [#1] PREEMPT SMP NOPTI

A kernel panic is a system error that forces the Linux kernel to halt its operation, thereby causing the entire system to crash. This issue can be potentially used by attackers to conduct Denial of Service (DoS) attacks.

Resolution

The issue was resolved by properly handling multi-buffer packets for XDP_TX and XDP_REDIRECT, specifically in the case of jumbo frames. This was achieved by fixing the way ionic_run_xdp() unmaps the dma-mapping and resets the page pointers.

The code snippet below demonstrates the fix applied to address this issue

...
if (xdp_tx && xdp_act == XDP_TX) {
    dma_unmap_page(dev, dma_addr, len, DMA_FROM_DEVICE);
    page = NULL;
} else if (xdp_act == XDP_REDIRECT) {
    dma_unmap_page(dev, dma_addr, len, DMA_FROM_DEVICE);
    page = NULL;
}
...

With this fix in place, the kernel panic issue caused due to improper handling of multi-buffer packets has been resolved.

Conclusion

The Linux kernel vulnerability identified as CVE-2024-42083 highlights the importance of proper multi-buffer handling within ionic_run_xdp() to avoid kernel panic, which can lead to system instability and potential security risks. The fix implemented ensures that all types of pages are correctly handled, preventing any possible future exploitation.

Timeline

Published on: 07/29/2024 16:15:07 UTC
Last modified on: 07/30/2024 19:03:40 UTC