CVE-2024-53138: Linux Kernel kTLS vulnerability in net/mlx5e resolved - Fixing incorrect page refcounting

A recent vulnerability has been discovered and resolved in the Linux kernel's kTLS (Kernel Transport Layer Security) functionality. This vulnerability is related to the net/mlx5e module, which is responsible for handling kTLS operations. In this post, we will discuss the details of this vulnerability, such as the code flaw, its implications, and how it has been addressed.

Vulnerability Details

The issue lies in the kTLS tx (transmit) handling code, which is using both get_page() and page_ref_inc() API functions to increment the page reference count. However, on the release path (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is being used.

Here's the problematic code snippet

void mlx5e_ktls_tx_handle_resync_dump_comp(...)
{
    ...
    put_page(kp->page);
    ...
}

As mentioned earlier, the problem occurs when using pages from large folios. The get_page() references are stored on the folio page, while the page_ref_inc() references are stored directly in the given page. When the page is released, the folio page will be dereferenced too many times, which in turn can trigger unpredictable behavior and potentially lead to system crashes or data corruption.

How the vulnerability was discovered

This vulnerability was discovered during kTLS testing with sendfile() + Zero-Copy (ZC) when the served file was read from an NFS (Network File System) on a kernel with NFS large folios support. The kernel commit that added this support is 49b29a573da8 ("nfs: add support for large folios").

For more details on the original discovery and the kernel commit, refer to the following links

- Kernel testing kTLS commit
- NFS folios support commit

Fix and Resolution

The vulnerability has been resolved by switching all the increment operations to use exclusively get_page(). This ensures consistency in the reference incrementing and decrementing process and prevents an incorrect page reference count.

Here's the patched code snippet

void mlx5e_ktls_tx_post_param(...)
{
    ...
    get_page(page);
    ...
}

Conclusion

By addressing the CVE-2024-53138 vulnerability, the Linux kernel developers have further strengthened the security and stability of the kTLS functionality. Users are encouraged to update their kernels to benefit from this important fix and continue enjoying secure and efficient communications using kTLS.

Timeline

Published on: 12/04/2024 15:15:13 UTC
Last modified on: 12/19/2024 09:40:07 UTC