A vulnerability has been discovered in the Linux kernel that affects the bonding feature, specifically in the area of xfrm real_dev null pointer dereference. This post provides details on the vulnerability, an example trace, and steps taken to resolve the issue.
Vulnerability Details
The problem arises when the real_dev is set to NULL, which can cause packets to be in transit and xfrm to call xdo_dev_offload_ok() in parallel. The issue with this is that all callbacks assume the real_dev is set.
To better illustrate the problem, here's an example trace showing where the error occurs
Example trace:
kernel: BUG: unable to handle page fault for address: 000000000000103
kernel: bond: (slave eninp1): making interface the new active one
kernel: #PF: supervisor write access in kernel mode
kernel: #PF: error_code(x0002) - not-present page
kernel: PGD P4D
kernel: Oops: 0002 [#1] PREEMPT SMP
...
You can see the full trace in the content section above.
Resolution
The issue has been resolved in the Linux kernel and the vulnerability has been addressed. It was crucial to ensure that real_dev is not set to NULL, as it can cause issues with parallel calls and callbacks.
Original References
1. [PATCH net 1/1] bonding: fix xfrm real_dev null pointer dereference - Dan Carpenter
(link to mailing list)
2. Linux Kernel Mailing List - Merged Patch
3. Kernel.org - Linux Kernel Repository
Conclusion
In conclusion, this post highlighted the importance of addressing a vulnerability found in the Linux kernel's bonding feature. By identifying the problem and resolving it in a timely manner, Linux kernel developers have helped ensure the continued security of systems running the kernel. To stay up-to-date with the Linux kernel and its constant developments, it's important to follow relevant mailing lists and periodically check the kernel's official repository.
Timeline
Published on: 09/04/2024 20:15:08 UTC
Last modified on: 09/06/2024 16:31:22 UTC