CVE-2024-26591: Linux Kernel BPF Re-Attachment Branch Vulnerability Fixed in bpf_tracing_prog_attach

A recent vulnerability has been discovered and resolved in the Linux kernel concerning the BPF (Berkeley Packet Filter) subsystem. The vulnerability, assigned with the code CVE-2024-26591, could potentially cause a system crash due to a NULL pointer dereference. This post will delve deep into the details of this issue, explaining how it can be triggered and its impact on affected systems. Moreover, it will also provide the solution that has been implemented to address this vulnerability.

Problem Description

The Linux kernel BPF subsystem is responsible for efficiently filtering network packets in a safe and flexible way. One of its crucial components is bpf_tracing_prog_attach, which is responsible for dealing with both rawtp and fentry programs. The identified vulnerability lies within this function and can cause a crash due to a missing attach_btf, as described in the following steps:

The program was loaded for the tgt_prog, but we have no way to find out which one.

This leads to a kernel NULL pointer dereference with the address x58, causing the system to crash.

Exploit Details

To better understand the exploit and the crash that takes place due to the missing attach_btf, refer to the snippet of the call trace as follows:

BUG: kernel NULL pointer dereference, address: 0000000000000058
Call Trace:
 <TASK>
 ? __die+x20/x70
 ? page_fault_oops+x15b/x430
 ? fixup_exception+x22/x330
 ? exc_page_fault+x6f/x170
 ? asm_exc_page_fault+x22/x30
 ? bpf_tracing_prog_attach+x279/x560
 ? btf_obj_id+x5/x10
 bpf_tracing_prog_attach+x439/x560
 __sys_bpf+x1cf4/x2de
 __x64_sys_bpf+x1c/x30
 do_syscall_64+x41/xf
 entry_SYSCALL_64_after_hwframe+x6e/x76

The crash occurs in the bpf_tracing_prog_attach function, which is responsible for the attachment of tracing programs to BPF targets.

Solution

To fix this vulnerability, the developers have added a check to return -EINVAL when the required conditions are not met. The fix prevents the NULL pointer dereference from occurring and ensures the system will not crash.

In conclusion, CVE-2024-26591 is a vulnerability in the Linux kernel that has the potential to bring down a system by exploiting a NULL pointer dereference within the BPF subsystem. Thankfully, the Linux community has acted swiftly and provided a fix for this issue by returning -EINVAL when the proper conditions are not met. For those running Linux systems, it is encouraged to update the kernel and apply any relevant patches to ensure your system is safe from this vulnerability.

Relevant References

- Linux kernel mailing list discussion
- Patch for the vulnerability

Timeline

Published on: 02/22/2024 17:15:09 UTC
Last modified on: 03/18/2024 17:54:44 UTC