CVE-2024-53140: Linux Kernel Vulnerability in Netlink - Resolved with New Update

A vulnerability has been resolved in the Linux kernel related to the netlink socket. This vulnerability, identified as CVE-2024-53140, allows the user to control the dump while the netlink socket might still be in use, potentially causing inconsistencies in the process.

Vulnerability Details

CVE-2024-53140 defines a vulnerability within the netlink module of the Linux kernel that may lead to potential issues during the iterative dumping of data in asynchronous processes. The problem arises when the user closes the netlink socket without reaching the end of the dump process.

When a dump is ongoing and the socket is being freed, the module checks for an ongoing dump before freeing the socket. If the dump is not complete, the "done" function is called. However, due to an ineffective reference handling mechanism, the "done" function might be called unnecessarily, or the socket may be released without being properly cleaned up.

Fix and Exploit Prevention

To address CVE-2024-53140, the Linux kernel developers have removed the workqueue and instead directly flush the dump state from the release handler. This ensures that the cleanup process reliably occurs when the socket is closed, as well as prevent potential race conditions that may occur when other processes access the socket after the close.

The following code snippet from the updated Linux kernel demonstrates this fix

// Release function updates
static void netlink_release(struct sock *sk)
{
	...
	if (nlk->cb_running) {
		struct netlink_callback *cb = &nlk->cb;
		netlink_dump_stop(nlk, cb);
	}
}
// Removal of workqueue
static void __netlink_diag_dump(struct netlink_callback *cb)
{
	...
	if (nlk->cb_running) {
		netlink_dump_stop(nlk, cb);
		netlink_remove_fail(nlk);
	}
}

This updated implementation allows the netlink module to handle iterative dumping of data in a more secure and efficient way, ensuring that users don't encounter potential issues during asynchronous operations.

Original References

- Linux Kernel Repository: Commit de85738
- Mailing List Discussion: netlink: terminate outstanding dump on socket close

Conclusion

CVE-2024-53140 exposed a vulnerability within the Linux kernel's netlink module that could lead to potential issues during the iterative dumping of data in asynchronous processes. Thanks to the collaborative efforts of the Linux kernel developers, this vulnerability has been resolved through the removal of workqueue and direct handling of dump state from the release handler. Users are encouraged to update their kernel versions to the latest available release to ensure the security and stability of their systems.

Timeline

Published on: 12/04/2024 15:15:16 UTC
Last modified on: 12/19/2024 09:40:09 UTC