A recently resolved vulnerability in the Linux kernel has been given the identifier CVE-2024-42108. The vulnerability affected the net: rswitch portion of the kernel, specifically in the rswitch_poll () and rswitch_tx_free() functions, leading to a use-after-free situation. This article will delve into the details of the vulnerability, providing code snippets and related references for better understanding while keeping the language simple and easy to follow.
Exploit Details
The use-after-free is located in the rswitch_tx_free() function. This function gets inlined into rswitch_poll(). At the core of the vulnerability is the fact that skb (Socket Buffer) and gq->skbs[gq->dirty] are, in fact, identical pointers. Consequently, the skb is released via dev_kfree_skb_any(), and subsequently, the value in skb->len is utilized to update the interface statistics. This creates a situation where a freed object is used, leading to the aforementioned use-after-free vulnerability.
How to Reproduce the Error
This bug is simple to recreate using a tool called KFENCE (Kernel Electric Fence). It will cause a splat (an error message caused by the kernel's internal inconsistency checks) after just a few packets being sent. To trigger the error, you can use either an ARP (Address Resolution Protocol) request or an ICMP (Internet Control Message Protocol) echo request.
Code Snippet Fix
To fix the vulnerability, you should shift around the instructions in such a way that the value of skb->len is used before the skb is freed. The following provides an alteration to the rswitch_tx_free() function to resolve this issue:
static void rswitch_tx_free(struct gq_priv *gq)
{
while (gq->dirty != gq->cur) {
struct sk_buff *skb = gq->skbs[gq->dirty];
unsigned int len = skb->len;
// Change the order of the next two instructions.
dev_kfree_skb_any(skb);
gq->netdev->stats.rx_bytes -= len;
gq->dirty = rswitch_incr(gq->dirty, gq->size);
}
}
Original References
1. Linux Kernel - net: rswitch: Avoid use-after-free in rswitch_poll()
2. KASAN: use-after-free in rswitch_tx_free/rswitch_poll - Google Groups
Conclusion
The CVE-2024-42108 use-after-free vulnerability found in the Linux kernel's net: rswitch poll function and rswitch_tx_free function has been successfully resolved. By changing the instructions' order to make use of skb->len before the skb is freed, the bug has been mitigated. However, it is crucial to continually monitor the Linux kernel for newly discovered vulnerabilities and follow best security practices to maintain the security and stability of your systems.
Timeline
Published on: 07/30/2024 08:15:03 UTC
Last modified on: 08/21/2024 20:52:35 UTC