CVE-2024-53088 - Linux kernel i40e driver vulnerability: Race Condition and Filter Corruption Issue

In the Linux kernel, a newly discovered vulnerability (CVE-2024-53088) has been resolved, related to the Intel Ethernet Controller XL710 Family drivers (i40e). This vulnerability concerns a race condition that leads to MAC/VLAN filters becoming corrupted and leaking. The issue occurs under heavy load when multiple threads are concurrently modifying MAC/VLAN filters by setting mac and port VLAN. In this post, we will discuss the details of this vulnerability, how it can be exploited, the fix that has been implemented, and provide links to original references.

Thread T1 concurrently frees the filter in __i40e_del_filter() within i40e_ndo_set_vf_mac().

3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which refers to the already freed filter memory, causing corruption.

Spawn multiple VFs (Virtual Functions).

2. Apply a concurrent heavy load by running parallel operations to change MAC addresses on the VFs and change port VLANs on the host.
3. Observe errors in dmesg: "Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX, please set promiscuous on manually for VF XX".

Please note that the exact code for stable reproduction cannot be open-sourced by Intel.

Fix:
The fix for this issue involves implementing a new intermediate filter state, I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list. These filters cannot be deleted from the hash list directly but must be removed using the full process.

Original References

- Intel Ethernet Controller XL710 Family: [https://www.intel.com/content/www/us/en/products/docs/network-io/ethernet/40-gigabit-ethernet/ethernet-xl710-bm1-bm2-overview.html]
- Linux Kernel Mailing List (LKML) patch submission: [https://lore.kernel.org/lkml/138970499.b4JXOROz04@kroah.com/]

Exploit Details

An attacker can exploit this vulnerability by causing a system to run multiple operations that change MAC addresses on VFs and port VLANs on the host concurrently. This would lead to filter corruption and leakage, which in turn could lead to network instability, denial of service attacks, or others.

Mitigation

To mitigate the risks associated with CVE-2024-53088, affected Linux kernel distributions should apply the patch that implements the I40E_FILTER_NEW_SYNC intermediate state for filters. Users are also advised to monitor their systems for indications of high load conditions leading to filter corruption and take appropriate measures to reduce the risk, such as limiting simultaneous MAC and port VLAN changes.

Conclusion

This long-read post has discussed the details of CVE-2024-53088, a Linux kernel vulnerability related to the i40e driver for Intel Ethernet Controller XL710 Family, which can lead to MAC/VLAN filter corruption under certain conditions. We have provided details on the vulnerability, how to exploit it, the fix, and mitigation strategies. To stay protected, it is essential for Linux kernel users to apply the relevant patch and monitor their systems for potential exploitations continuously.

Timeline

Published on: 11/19/2024 18:15:27 UTC
Last modified on: 11/25/2024 13:38:07 UTC