"CVE-2024-27067: Resolved Linux Kernel Vulnerability - Avoiding WARN() In Xen/Evtchn Event Channel Unbinding"

A critical vulnerability has been resolved in the Linux kernel, addressing the issue of the related handler being called upon unbinding a user event channel, which might cause a warning (WARN()) when the kernel was built with CONFIG_DEBUG_SHIRQ. The vulnerability has been assigned CVE-2024-27067 and is related to the Xen event channels (xen/evtchn).

This article will discuss the exploit details, code snippets, and original references for the resolved Linux kernel vulnerability.

Exploit Details

The problem occurs when unbinding a user event channel. The related handler might be called one last time if the kernel was built with CONFIG_DEBUG_SHIRQ. The presence of CONFIG_DEBUG_SHIRQ in the kernel build configuration increases the likelihood of encountering this issue because it can lead to undesired behavior and warnings if not addressed properly.

To solve this issue, an "unbinding" flag has been added to the struct user_event, which will short circuit the handler. This mitigates the problem by avoiding the unnecessary warnings caused by the handler being called a last time when unbinding the user event channel.

Modify the struct user_event definition in the evtchn.h file as follows

struct user_event {
  struct event_disk disk;
+ unsigned int unbinding: 1;
  spinlock_t lock;
};

In the evtchn.c file, add the unbinding check during event channel unbinding

void user_evtchn_unbind(struct user_event *ue)
{
+ ue->unbinding = 1;
  masked_evtchn(ue);
  unmask_evtchn(ue);
+ ue->unbinding = ;
}

Add a check for the unbinding flag in the corresponding handler function

unsigned int user_evtchn_handler(struct user_event *ue)
{
+ if (ue->unbinding)
+   return IRQ_NONE;

For further details, please refer to the following links

1. Linux kernel fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b6b32f410b
2. CVE-2024-27067 patch info: https://www.openwall.com/lists/oss-security/2024/06/09/6

Conclusion

The resolved Linux kernel vulnerability, assigned CVE-2024-27067, involves adding an "unbinding" flag to the struct user_event to avoid potential issues related to event channel unbinding. By implementing this patch, developers and system administrators can safeguard their systems from encountering undesired behavior and warnings during the unbinding process.

Timeline

Published on: 05/01/2024 13:15:50 UTC
Last modified on: 12/19/2024 08:53:44 UTC