CVE-2024-56788 - net: ethernet: oa_tc6: Fixing tx skb Race Condition between Reference Pointers in Linux Kernel

In the Linux kernel, a vulnerability has been identified and resolved regarding the handling of tx skb's (socket buffers) enqueued from the network stack. The issue occurs due to a race condition between the reference pointers in the 'net: ethernet: oa_tc6' module, which can ultimately result in packet loss and memory leak. This vulnerability has been assigned CVE-2024-56788.

Problem Description

The 'net: ethernet: oa_tc6' module uses two skb pointers to manage tx skb's enqueued from the network stack. The 'waiting_tx_skb' pointer points to the tx skb that needs to be processed, and the 'ongoing_tx_skb' pointer points to the tx skb that is currently being processed.

The SPI (Serial Peripheral Interface) thread prepares the tx data chunks from the tx skb pointed by the 'ongoing_tx_skb' pointer. Once the tx skb pointed by the 'ongoing_tx_skb' is processed, the tx skb pointed by the 'waiting_tx_skb' is assigned to the 'ongoing_tx_skb,' and the 'waiting_tx_skb' pointer is set to NULL. If a new tx skb comes from the network stack, it will be assigned to the 'waiting_tx_skb' pointer if it is NULL. The enqueuing and processing of tx skb's are handled in two separate threads.

A race condition can occur in a particular and specific scenario, as described in the original code and detailed explanation provided by the Linux kernel developers: [link to original references]

Solution

To address this race condition, the developers have implemented a solution that ensures the safe movement of tx skb references from the 'waiting_tx_skb' pointer to the 'ongoing_tx_skb' pointer and the proper assignment of new tx skb to the 'waiting_tx_skb' pointer. This solution protects the 'waiting_tx_skb' pointer from being accessed by another thread until the current thread has completed moving the tx skb reference safely.

Below is a sample code snippet that demonstrates the fix applied to the vulnerability

/* Code Snippet to demonstrate the fix */
spin_lock(&tc6->tx_skb_lock);
if (!tc6->ongoing_tx_skb && tc6->waiting_tx_skb) {
        tc6->ongoing_tx_skb = tc6->waiting_tx_skb;
        tc6->waiting_tx_skb = NULL;
}
spin_unlock(&tc6->tx_skb_lock);

This fix employs the use of spinlocks to synchronize access between threads, ensuring that the 'waiting_tx_skb' pointer is safely handled and preventing the race condition that was causing packet loss and memory leak in certain specific scenarios.

Conclusion

CVE-2024-56788 addresses a critical vulnerability in the Linux kernel, which could result in packet loss and memory leaks due to a race condition between reference pointers when handling tx skb's from the network stack. By implementing mutual exclusion between threads when dealing with these pointers, the issue has been resolved, and Linux kernel developers have provided a more robust and stable solution for managing network traffic.

For more information and the complete implementation of the fix, refer to the original Linux kernel changes: [link to original references]

Timeline

Published on: 01/11/2025 13:15:29 UTC
Last modified on: 01/20/2025 06:28:11 UTC