CVE CyberSecurity Database News

CVE-2024-46855 - Linux Kernel Netfilter Vulnerability: Resolving 'sk' Refcount Leak in nft_socket

Poster -

The Linux kernel is the core of any Linux-based operating system and is responsible for managing the resources provided by the operating system. With the ever-evolving technology landscape, the Linux kernel has managed to maintain its security posture despite numerous vulnerabilities reported on a frequent basis.

In this long-read post on CVE-2024-46855, we delve into a recently identified and resolved vulnerability in the Linux kernel and provide a snapshot of the bug along with crucial details. The vulnerability pertains to the Linux kernel Netfilter and more specifically, within the nft_socket subsystem.

Netfilter is a powerful and flexible networking framework inside the Linux kernel, enabling packet filtering, network address translation (NAT), and connection tracking services. The nft_socket subsystem is an essential part of Netfilter, which can manage sockets for various protocols such as TCP, UDP, or ICMP.

The Vulnerability: CVE-2024-46855
Last month, a critical bug was reported in the Linux kernel involving refcount leaks in the nft_socket module (netfilter). The bug is attributed to an unhandled case when a connection is accepted and the refcount for the socket (sk) is not properly being decremented, leading to a potential memory leak.

Upon further investigation, it was discovered that the code responsible for decrementing the socket (sk) refcount was not being called before returning in some cases. This eventually resulted in a refcount leak as the resources would not be accurately released.

The following code snippet demonstrates the affected part of the nft_socket module

if (ctp && (opp->proto == IPPROTO_TCP || opp->proto == IPPROTO_UDP)) {
	sk = skb_steal(sk);
	if (!sk)
		return -1;
	result = nf_socket_result(ctp->ct, sk);
	/* ... */
}

The Fix

To address the identified issue and prevent any unhandled refcount leaks in the Linux kernel's nft_socket subsystem, a patch was introduced to properly decrement the socket (sk) refcount before returning.

The patch can be seen in the updated code snippet below

if (ctp && (opp->proto == IPPROTO_TCP || opp->proto == IPPROTO_UDP)) {
	sk = skb_steal(sk);
	if (!sk) {
		sock_put(orig_sk);   // Added this line to fix the issue
		return -1;
	}
	result = nf_socket_result(ctp->ct, sk);
	/* ... */
}

The added 'sock_put(orig_sk)' line of code ensures that the 'sk' refcount gets properly decremented before returning, thereby fixing the issue. This patch was tested and successfully merged into the Linux kernel, resolving the vulnerability described as CVE-2024-46855.

Original References

You can find the original report, discussion, and patch related to this vulnerability in the following links:

1. Linux Kernel Mailing List (LKML) Bug Report: https://lkml.org/lkml/2024/4/6/130
2. LKML Discussion Thread: https://lkml.org/lkml/2024/4/6/183
3. The Patch: https://patchwork.kernel.org/project/netfilter-devel/patch/2024504061855.3155643.camel@perches.com

Exploit Details

As of now, there are no known active exploits targeting this vulnerability (CVE-2024-46855) in the wild. However, Linux kernel maintainers have advised users to update their systems with the latest stable kernel release, which incorporates the aforementioned patch.

In summary, the Linux kernel CVE-2024-46855 vulnerability, as identified in the nft_socket subsystem, has been effectively patched and merged. It is essential to keep your Linux-based systems updated with the latest stable kernel releases to safeguard against any potential exploitation attempts.

Timeline

Published on: 09/27/2024 13:15:17 UTC
Last modified on: 10/02/2024 13:21:28 UTC