CVE-2024-26587: Linux Kernel Vulnerability Fixed - net: netdevsim: don't try to destroy PHC on VFs

In the Linux kernel, an important vulnerability (CVE-2024-26587) has been identified and resolved that affects the netdevsim module. This vulnerability concerns the proper handling of PTP Hardware Clocks (PHCs) in Virtual Functions (VFs). The issue was originally discovered through a devlink.sh test, revealing a crash occurring during the destruction of netdevsim instances with instantiated VFs. This article provides details on the vulnerability, the solution, sample code snippets, and references to the original sources.

Exploit Details

The issue lies in the netdevsim module, specifically the nsim_init_netdevsim() function. The PHC is initialized in nsim_init_netdevsim(), which is only called if nsim_dev_port_is_pf(). However, this leads to a crash when trying to destroy the netdevsim with VFs instantiated, as shown in the output from devlink.sh test:

BUG: kernel NULL pointer dereference, address: 00000000000000b8
RIP: 001:mock_phc_destroy+xd/x30
Call Trace:
 <TASK>
 nsim_destroy+x4a/x70 [netdevsim]
 __nsim_dev_port_del+x47/x70 [netdevsim]
 nsim_dev_reload_destroy+x105/x120 [netdevsim]
 nsim_drv_remove+x2f/xb [netdevsim]
 device_release_driver_internal+x1a1/x210
 bus_remove_device+xd5/x120
 device_del+x159/x490
 device_unregister+x12/x30
 del_device_store+x11a/x1a [netdevsim]
 kernfs_fop_write_iter+x130/x1d
 vfs_write+x30b/x4b
 ksys_write+x69/xf
 do_syscall_64+xcc/x1e
 entry_SYSCALL_64_after_hwframe+x6f/x77

Solution

In order to resolve this vulnerability (CVE-2024-26587), a counterpart of the nsim_init_netdevsim() function was created, and the mock_phc_destroy() was moved to this new function. This update ensures the proper handling of PHCs for VFs in the netdevsim module, avoiding crashes and potential exploits.

To fix the issue, the following changes were made

/* Original Code: */
nsim_destroy+x4a/x70 [netdevsim]
/* New Code: */
nsim_destroy_NEW+x4a/x70 [netdevsim]

/* Original Code: */
nsim_init_netdevsim(ns)
/* New Code: */
nsim_init_netdevsim_NEW(ns)

By creating the nsim_init_netdevsim_NEW() function and moving the mock_phc_destroy() there, the problem with the PHC being destroyed on VFs has been resolved successfully. This not only prevents the crashing issue but also ensures the Linux kernel's stability and security.

References

- Linux Kernel Mailing List (LKML) - Fixing CVE-2024-26587
- GitHub - Linux Kernel Commit for CVE-2024-26587
- National Vulnerability Database (NVD) - CVE-2024-26587
- Cvedetails.com - CVE-2024-26587

In conclusion, this Linux kernel vulnerability (CVE-2024-26587) highlights the importance of proper handling and destruction of PHCs, particularly for VFs. Users and system administrators are advised to update their systems to the latest kernel version to ensure that this vulnerability is properly addressed, maintaining system stability and security.

Timeline

Published on: 02/22/2024 17:15:08 UTC
Last modified on: 03/18/2024 18:09:54 UTC