CVE-2024-36886 - Use-After-Free in Linux Kernel TIPC (tipc_buf_append Error Path) – Exploit Analysis & Details

A new Linux kernel vulnerability, CVE-2024-36886, was reported and fixed in recent kernel versions. The issue, found in the *Transparent Inter Process Communication* (TIPC) subsystem, exposes systems to a serious _use-after-free_ (UAF) bug in an error path of the tipc_buf_append function. This bug can potentially allow local users — or remote attackers able to send crafted TIPC or UDP packets — to crash the kernel, leak kernel memory, or even achieve escalation of privileges under certain conditions.

In this post, we'll break down the vulnerability into simple terms, walk through its technical details, and show how an attacker might exploit it. We will also share references and links further down.

1. What Is TIPC and Why Does It Matter?

TIPC is a Linux-specific protocol for high-performance cluster communications. It's featured in many major distributions, especially those targeting clusters, IoT, or telecommunications. Because TIPC runs in kernel space and handles network packets, bugs in it can lead to severe system compromise.

Type: Use-After-Free (UAF)

- Location: Kernel, net/tipc/msg.c and tipc_buf_append()

How It Appears

When TIPC receives some malformed or malicious packets (especially over UDP), an error is triggered in tipc_buf_append(). In certain failure scenarios, the kernel frees (deallocates) an SKB (socket buffer) object, but later on, still references it. This is a classic UAF: the kernel accesses memory that is already free, leading potentially to memory corruption, kernel panics, or exploitable conditions.

Here’s a snippet of the crashing backtrace (edited for clarity)

BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+x47e/x4c
linux/net/core/skbuff.c:1183
Read of size 8 at addr ffff88804d2a7c80 by task poc/8034

tipc_buf_append+x425/xb50 linux/net/tipc/msg.c:186

The vulnerable function looks like this (simplified for context)

int tipc_buf_append(struct sk_buff **head, struct sk_buff *tail)
{
    // ... code ...
    if (error_condition) {
        kfree_skb(*head);   // Free the buffer
        *head = NULL;
        // ... return error ...
    }
    // ... further code which may access *head ...
}

Problem: In the error path, kfree_skb(*head) releases the memory, but if the calling path later touches *head, the kernel touches freed memory. Depending on the execution path and timing (especially under network load), this can be exploited.

The bug may be reached by sending malformed TIPC packets over UDP sockets (both local and remote vectors, if UDP media transport is enabled).

Who Can Exploit?

- Local users with ability to open/bind network sockets and interact with TIPC
- Remote attackers on networks where TIPC is exposed/unfiltered and UDP media is enabled

Information Leak (read freed memory contents)

- Privilege Escalation (in theory, with advanced heap spraying or exploitation techniques on some setups)

Example Exploit Concept (PoC in C)

The below is an illustrative PoC. *Never run this on critical systems!*

#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <linux/tipc.h>
#include <unistd.h>
#include <arpa/inet.h>

// Send malformed message to trigger UAF:
int main() {
    int fd = socket(AF_TIPC, SOCK_DGRAM, );

    struct sockaddr_tipc addr = {
        .family = AF_TIPC,
        .addrtype = TIPC_ADDR_NAME,
        .addr.name.name.type = htonl(),
        .addr.name.name.instance = htonl(),
        .addr.name.domain = 
    };

    char evil_payload[32] = {};
    // Fill with values that specifically trigger the error logic
    evil_payload[] = xff;
    evil_payload[1] = xee;

    sendto(fd, evil_payload, sizeof(evil_payload), ,
           (struct sockaddr *)&addr, sizeof(addr));
    close(fd);

    return ;
}

*Note*: The exact triggering data may require fuzzing or a packet captured from a system with a working exploit. The above shows the method.

5. Fix

The fix essentially adjusts the error path so no freed pointers are accessed. Here’s the relevant commit:

- Fix commit: tipc: fix UAF in error path

Patch excerpt

-   kfree_skb(*head);
+   if (*head) {
+       kfree_skb(*head);
+       *head = NULL;
+   }
    // Ensure *head is not used after kfree_skb

Upgrade your kernel ASAP if you use TIPC, or disable TIPC if unneeded.

6. References & More Reading

- CVE-2024-36886 MITRE Entry
- Kernel Commit Fix
- Trend Micro ZDI Advisory *(search for CVE-2024-36886)*
- Linux KASAN Documentation

It can lead to kernel memory corruption, leaks, or possible code execution.

- Any distribution relying on TIPC or with CONFIG_TIPC enabled in the kernel is at risk until patched.

Systems not using TIPC should disable TIPC as a hardening measure.

Best Practice: Patch early. Restrict access to TIPC sockets and UDP ports at both network and host level.


*Always keep your system kernel up to date, and monitor advisories like this to avoid being caught by zero-day vulnerabilities!*


*Written exclusively for this platform. (C) 2024.*

Timeline

Published on: 05/30/2024 16:15:12 UTC
Last modified on: 07/03/2024 02:03:41 UTC