In the Linux kernel, a critical vulnerability has been resolved. The vulnerability, identified as CVE-2024-42283, pertains to the initialization of the nexthop fields in the net: nexthop subsystem. In this post, we will discuss the details of the vulnerability, walk through the related code snippet, and provide links to the original references where applicable.

Vulnerability Details

The issue arises due to the presence of two reserved fields in the struct nexthop_grp that are not properly initialized by the nla_put_nh_group() function. These fields end up containing garbage values, which can potentially leak kernel memory and also complicate the process of repurposing these fields for new purposes.

The following code snippet, taken from the Linux kernel source code, demonstrates the issue

struct nexthop_grp {
        u32 id;
        u8 weight;
        u8 resvd1;
        u16 resvd2;
};

To resolve this vulnerability, the patch ensures that all fields in the struct nexthop_grp are initialized properly, thus preventing any potential memory leak or confusion arising from uninitialized fields. The updated code snippet is shown below:

static int nla_put_nh_group(struct sk_buff *skb, const struct nexthop_grp *grp)
{
        struct nlattr *start;
        u32 mask;

        start = nla_nest_start(skb, NHA_GROUP);
        if (!start)
                return -EMSGSIZE;

        mask = NEXTHOP_GRP_RESVD1_MASK | NEXTHOP_GRP_RESVD2_MASK;

        for (; grp->id; grp++) {
                u16 nhg = le16_to_cpu(*(const __le16 *)grp);

                nhg &= ~mask;
                if (nla_put_u16(skb, NHA_GROUP_TYPE, nhg))
                        goto nla_put_failure;
        }

        nla_nest_end(skb, start);

        return ;

nla_put_failure:
        nla_nest_cancel(skb, start);
        return -EMSGSIZE;
}

The main change in the updated code is the addition of the mask variable, which is used to ensure proper initialization of the resvd1 and resvd2 fields by applying a bitwise AND operation with the negation of the mask.

Here is the code demonstrating how the mask is applied

mask = NEXTHOP_GRP_RESVD1_MASK | NEXTHOP_GRP_RESVD2_MASK;

for (; grp->id; grp++) {
        u16 nhg = le16_to_cpu(*(const __le16 *)grp);

        nhg &= ~mask;
        ...
}

This fix ensures that the reserved fields in the struct nexthop_grp are properly initialized and prevents any potential leak of kernel memory or complications arising from uninitialized fields.

Original References

The original patch for this vulnerability can be found in the Linux kernel's commit history.

Additionally, more details about the net: nexthop subsystem can be found in the Linux kernel documentation.

Exploit Details

As of now, there are no known exploits for this vulnerability. However, since it involves the leakage of kernel memory, it is crucial to apply the patch to prevent potential exploitation by malicious actors in the future. The fix has been merged into the Linux kernel, and users should ensure that their systems are updated with the latest kernel version available for their distribution. Keep an eye on CVE databases and security bulletins for any new information regarding potential exploits and vulnerability details.

Timeline

Published on: 08/17/2024 09:15:09 UTC
Last modified on: 08/19/2024 19:54:33 UTC