CVE-2024-27046 - How a Null Pointer in Linux's nfp_fl_lag_do_work Could Crash Your System—and How It Got Fixed

CVE-2024-27046 is a recent security vulnerability found and fixed in the Linux kernel, specifically within the nfp network driver when dealing with Network Flow Processor ("flower") logic. The problem? If Linux ran out of memory at the wrong time, it could crash due to a missing check after using a memory allocation function.

What Happened?

In Linux kernel network drivers, handling network devices sometimes requires allocating memory to keep track of them. The function kmalloc_array() allocates memory. But like any allocation, there's a risk it returns NULL if the system's out of memory.

In the function nfp_fl_lag_do_work(), the code tried to allocate an array called acti_netdevs. It didn't check if kmalloc_array() failed, and if it did, it would try to use that array anyway. This would cause a "null pointer dereference" — a fancy way to say "the kernel crashes because it tried to use memory that doesn't exist."

Here's the problematic part of the driver (greatly simplified)

struct net_device **acti_netdevs;
...
acti_netdevs = kmalloc_array(dev_cnt, sizeof(*acti_netdevs), GFP_KERNEL);

/* Missing: check if acti_netdevs == NULL */
for (i = ; i < dev_cnt; i++)
    some_func(acti_netdevs[i]);

If kmalloc_array() returns NULL, acti_netdevs[i] will cause a crash.

How It Could Be Exploited

This is a local denial-of-service vulnerability. An attacker with access to the system could try to force the system to run out of memory, triggering this code path (for example, by creating network devices until memory is low).

Open up further issues if combined with other vulnerabilities

However, remote exploitation is unlikely (unless combined with another bug).

The Patch: How Linux Fixed It

Kernel developers added a simple check for allocation failure. If acti_netdevs is NULL, they don't crash! Instead, they reschedule the work, so the system will try again later.

Here’s the relevant fixed snippet

acti_netdevs = kmalloc_array(dev_cnt, sizeof(*acti_netdevs), GFP_KERNEL);
if (!acti_netdevs) {
    schedule_delayed_work(&lag->work, msecs_to_jiffies(100));
    return;
}

You can see the fix in the official Linux kernel commit

https://github.com/torvalds/linux/commit/43df32632d961d1fdfd56888651a17961fb930d7

Learn More — References

- CVE Details for CVE-2024-27046
- Linux kernel patch ("nfp: flower: handle acti_netdevs allocation failure")
- Linux kernel documentation: Memory allocation

Final Thoughts

Who’s affected? Only Linux kernels with NFP "flower" driver enabled, and only if you run low on memory.

How do you stay safe? Upgrade to a kernel version including this patch. If you develop kernel modules: always check your allocations.

Why care? Even small mistakes can lead to big problems. This is a classic example of why checking for NULL matters.


Have your own questions about CVE-2024-27046 or want to discuss Linux kernel bugs? Leave a comment below!

Timeline

Published on: 05/01/2024 13:15:49 UTC
Last modified on: 12/23/2024 18:19:19 UTC