CVE-2024-57901 - Linux Kernel af_packet Vulnerability Fixed: "vlan_get_protocol_dgram() vs MSG_PEEK"

A recently discovered vulnerability in the Linux kernel affected its af_packet implementation, potentially leading to system crashes. The bug has since been resolved, which was the result of an oversight in the code that accounted for the "MSG_PEEK" case. This article breaks down the details of the vulnerability, the changes in the code for its fix, and references to the original source.

The Vulnerability

The Linux kernel af_packet is a low-level socket interface that can be used to transmit and receive raw packets at the device driver level. It is often employed in applications that require direct bypassing of the TCP/IP stack, such as network monitoring tools or firewalls.

The vulnerability was found by the automated testing tool syzbot, which is designed to exercise the Linux kernel to identify bugs and security issues. The bug lies in the function vlan_get_protocol_dgram(), which was not correctly handling the MSG_PEEK flag, eventually leading to a system crash. The affected kernel versions were:

Here is a snippet of the panic message observed due to this vulnerability

kernel BUG at net/core/skbuff.c:206 !
Oops: invalid opcode: 000 [#1] PREEMPT SMP KASAN PTI
...
Call Trace:
 <TASK>
  skb_push+xe5/x100 net/core/skbuff.c:2636
  vlan_get_protocol_dgram+x165/x290 net/packet/af_packet.c:585
  packet_recvmsg+x948/x1ef net/packet/af_packet.c:3552

The Fix

To resolve this issue, the function vlan_get_protocol_dgram() has been reworked so that it does not modify the sk_buff (skb) data structure directly. This change allows the kernel to handle the MSG_PEEK case without causing a crash. Additionally, a const qualifier was added to the skb argument.

With these changes, the Linux kernel now avoids the system crash and continues running as expected.

The following code snippet shows the code changes made for the fix

- vlan_get_protocol_dgram(skb_push(skb, VLAN_HLEN), skb);
+ skb_push(skb, VLAN_HLEN);
+ proto = vlan_get_protocol_dgram(skb, skb->data - VLAN_HLEN);

Additional References

- Discovery of the vulnerability by syzbot: Link
- Linux kernel bugzilla report: Link
- Linux kernel commit with the fix: Link

In conclusion, the CVE-2024-57901 vulnerability affecting the Linux kernel's af_packet implementation has been fixed by addressing the previously overlooked MSG_PEEK case. As a result, the bug no longer causes crashes in affected systems. The code changes make sure that the kernel maintains stability and efficiency while handling raw packets at the device driver level. Make sure to update to the latest version of the Linux kernel to stay protected against this vulnerability.

Timeline

Published on: 01/15/2025 13:15:14 UTC
Last modified on: 02/28/2025 18:48:15 UTC