CVE-2024-26872 - Critical Use-After-Free Vulnerability in Linux Kernel RDMA/SRPT Subsystem

CVE-2024-26872 focuses on a critical use-after-free vulnerability discovered in the Linux kernel’s RDMA subsystem, specifically, the SRPT (SCSI RDMA Protocol Target) implementation. This bug could allow kernel memory corruption or potentially escalate to arbitrary code execution under specific timing and error conditions.

The vulnerability was introduced by the improper registration timing of an event handler during SRPT device initialization. According to the original patch, the fix delays event handler registration until after the SRPT device is fully initialized.

What is SRPT in Linux?

SRPT is a protocol that allows SCSI commands to be sent over RDMA (Remote Direct Memory Access) networks, such as InfiniBand. This is commonly used in high-performance computing environments and storage area networks for fast and low-latency communication between storage devices and systems.

Here’s what happened

1. Event Handler Registration: The SRPT subsystem registered an event handler *before* it finished setting up the device.
2. Race Condition: If something went wrong during setup (say, an error occurred), something half-initialized could be left behind: an event handler still registered with global RDMA core structures.
3. Use-After-Free: If an event arrived, the event handler could get triggered while the memory it relied on was already freed, leading to undefined behavior or even kernel compromise.

This specific bug was detected thanks to Kernel Address Sanitizer (KASAN) reporting a use-after-free write in the srpt_refresh_port() function.

Here’s a simplified version of the vulnerable pattern, as it existed pre-patch

static int srpt_add_one(struct ib_device *device)
{
    struct srpt_device *srpt_dev = kzalloc(...);

    // 1. Register event handler (too soon!)
    ib_register_event_handler(&srpt_dev->event_handler);

    // 2. Continue with initialization...
    if (setup_fails) {
        // 3. Error cleanup
        kfree(srpt_dev); // event_handler still live!
        return -ENOMEM;
    }
    // ...
}

The event handler (event_handler) was registered too early. If something went wrong during setup, freeing srpt_dev didn’t unregister the event handler, meaning a pointer to freed memory could still be called.

The new, fixed code rearranges initialization order

static int srpt_add_one(struct ib_device *device)
{
    struct srpt_device *srpt_dev = kzalloc(...);

    // 1. Complete all initialization first

    if (setup_fails) {
        kfree(srpt_dev);
        return -ENOMEM;
    }

    // 2. Only register event handler *after* everything is ready
    ib_register_event_handler(&srpt_dev->event_handler);
    // ...
}

Now, if something fails during setup, no event handler is ever registered, so there’s no chance for stale pointers or use-after-free bugs.

Reference:
- Upstream Linux Kernel Patch Commit
- CVE-2024-26872 NVD Entry (pending)

While exploiting kernel UAFs (Use-After-Free) is non-trivial, the window here is

- An attacker with the right hardware and configuration (access to RDMA or InfiniBand devices) could try to provoke errors just as initialization is happening.

If they succeed, an event can be sent that triggers the dangling event handler.

- At best, this will crash the kernel (DoS). At worst, with careful heap spraying, they might get arbitrary code execution in kernel context.

In real-world terms:
Most regular Linux users are unlikely to hit this bug. However, high-performance compute clusters or data centers with RDMA hardware, especially where unprivileged users can load modules or create devices, are at risk.

Here’s pseudocode to “exploit” (trigger) the bug

# As root, force-load the SRPT module and attach a device
modprobe srpt

# In parallel, trick device initialization to fail
echo "simulate error" > /sys/class/infiniband/DEVICE/simulate_error

# Try to rapidly create and remove RDMA devices, hoping to catch the race
for i in {1..10000}; do
   echo add > /sys/class/infiniband/DEVICE/add
   echo remove > /sys/class/infiniband/DEVICE/remove
done

*Note: In practice, safely and precisely triggering this is very tough; this is for educational purposes!*

If you use SRPT or InfiniBand hardware: PATCH IMMEDIATELY.

- If you manage clusters or storage nodes: Ensure you are running a kernel with the CVE-2024-26872 patch. Mainline kernels 6.9 and later include the fix.

Summary

CVE-2024-26872 is a use-after-free in the Linux kernel’s SRPT/InfiniBand subsystem caused by premature event handler registration. Due to its nature, it’s mostly a problem for those running large clusters or advanced storage networks, but the underlying bug highlights the importance of proper initialization order in systems programming.

For more details, see

- Upstream Patch Discussion
- Linux Kernel Bugzilla
- RDMA Subsystem Documentation

Stay safe, keep your systems updated!

Tags: #Linux #CVE #UAF #SRPT #RDMA #InfiniBand #KernelSecurity

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 03/03/2025 17:47:59 UTC