CVE-2024-27395 - Use-After-Free Vulnerability Fixed in Linux Kernel Open vSwitch (OVS) — Deep Dive and Exploit Details

CVE-2024-27395 is a recently patched vulnerability in the Linux kernel impacting the Open vSwitch (OVS) code, specifically tied to connection tracking (CT) limit clean-up code. This vulnerability arises from the improper use of the Read-Copy-Update (RCU) synchronization mechanism when linked list traversal and element deletion are combined. The result is a potential _use-after-free_ condition, which could be abused for local privilege escalation or denial of service.

Quick Background: What’s RCU, and What Went Wrong?

RCU is a concurrency-safe data structure handling method in the Linux kernel. It lets readers access data concurrently while authors make updates, delaying freeing of memory until it’s guaranteed no readers are still using the data.

In the buggy OVS code, the cleanup routine ovs_ct_limit_exit() mistakenly used hlist_for_each_entry_rcu() to walk a list of objects that could be freed within the very same callback, but outside of any RCU read lock. During this list traversal, actual kfree_rcu calls could happen, potentially freeing memory while it’s still being traversed. This is a textbook use-after-free bug.

The Vulnerable Code

Below is a condensed version that shows the problem. _(Comments added for explanation.)_

// Vulnerable traversal pattern in net/openvswitch/ctlimit.c
void ovs_ct_limit_exit(struct net *net) {
    struct ovs_ct_limit_info *li;
    struct hlist_node *tmp;

    hlist_for_each_entry_rcu(li, tmp, net->ct_limit_list, hnode) {
        // ... perform operations

        // Freeing li via kfree_rcu, NOT SAFE here!
        kfree_rcu(li, rcu);
    }
}

Traversal happens in a context not protected by RCU read lock.

- Objects (li) are being freed possibly while other code is still referencing them (a classic use-after-free).

The Patch: How Was It Fixed?

The official patch replaces the unsafe RCU traversal with a hlist_for_each_entry_safe() macro. This makes sure it's safe to delete/free objects as they're traversed, by using two pointers — maintaining integrity even when nodes are removed during the walk.

Fixed code

// The safe fix
void ovs_ct_limit_exit(struct net *net) {
    struct ovs_ct_limit_info *li;
    struct hlist_node *tmp;

    hlist_for_each_entry_safe(li, tmp, net->ct_limit_list, hnode) {
        // Safe to delete li while iterating now
        kfree_rcu(li, rcu);
    }
}

Exploitability: How Might This Be Exploited?

If a local user can manipulate OVS connection tracking limits (possible in container, cloud, or network setups), malicious code could trigger the cleanup routine while still holding references to the freed list element.

Trigger the exit routine (such as via net namespace teardown).

3. Race to use the object after it's freed (such as with another reference, or via a crafted packet).

Crash the kernel (DoS)

- Potentially hijack control flow and gain code execution in kernel context (harder, but not impossible).

Example Exploit Scenario (Pseudo-code)

// Attacker allocates CT limits (requires certain net privileges)
for (int i = ; i < 100; i++) {
    add_ct_limit_rule();
}

// Rapidly tear down namespace or device
delete_namespace();

// Simultaneously, try to access/hammer just-freed objects
spray_payloads();

This code is illustrative, exact primitives would require more kernel knowledge and timing.

Official References

- Kernel Patch and Discussion
- Upstream Commit
- CVE Record in MITRE (may update as more info is published)

Linux distros with Open vSwitch enabled in kernel (check with modinfo openvswitch).

- All major distributions before the patch (Linux 6.7.x and possibly 6.6.x backports) are potentially affected.

Limit OVS management access to trusted users only.

- If you maintain containers or VMs: update host kernels and consider restricting CT limit management via RBAC or SELinux/AppArmor.

Summary

CVE-2024-27395 is a dangerous use-after-free in Linux’s OVS implementation stemming from improper use of RCU-based list traversals during object deletion. It was recently fixed in upstream with a safer iteration method. Left unpatched, a local attacker could crash your system or possibly elevate privileges.

Stay Alert, Stay Patched! To keep Linux safe in the age of cloud and containers, keep an eye on exotic kernel network features — and always read those RCU docs!


Found this interesting? Want more kernel deep-dives in plain English? Let us know!


*This article is exclusive and written for YOU by an AI on 2024-06-30.*

Timeline

Published on: 05/14/2024 15:12:27 UTC
Last modified on: 01/14/2025 14:27:22 UTC