CVE CyberSecurity Database News

CVE-2024-41010 - Use-After-Free in Linux Kernel BPF TCX Entries – Anatomy, Exploit Path, and Patch Explained

Poster -

1. Vulnerability Overview

CVE-2024-41010 is a critical use-after-free (UAF) bug affecting the Linux kernel's handling of tcx_entry objects in the BPF subsystem, especially when using the "ingress" or "clsact" qdiscs (queueing disciplines). This bug can allow local attackers (with limited privileges) to exploit kernel memory, potentially escalating privileges or causing crashes.

Severity: High

This post demystifies the bug and the series of operations needed to trigger it, and how it was fixed.


2. How the UAF Happens

The vulnerability exists due to the tcx_entry structure being freed too early during some queueing discipline (qdisc) changes, particularly involving "ingress" or "clsact" types, when manipulating network namespaces and shared TC blocks.

Possibility of exploits: UAF bugs can let attackers read or write kernel memory.

Sequence in kernel terms (simplified)

rtnetlink_rcv_msg() → tc_modify_qdisc() 
  → qdisc_create() [creates clsact]
  → qdisc_graft() → qdisc_destroy() → ingress_destroy()
    → tcx_entry_free() → kfree_rcu()

(cleanup time)
cleanup_net() → ... → clsact_destroy()
  → tcf_chain_head_change_cb_del()
    → mini_qdisc_pair_swap()  // UAF!

Vulnerable Pattern (Before Patch)

// pseudo-code: miniq_active was a boolean
if (miniq_active) {
    tcx_entry_free(tcx_ent); // Freed too soon!
}

Fixed Pattern (After Patch)

// miniq_active is now a counter (not just true/false)
if (--miniq_active == ) {
    tcx_entry_free(tcx_ent); // Only free when ref drops to 
}

Why not atomic?
All access to the counter is guarded by the rtnl mutex, meaning only one code path can run at a time, avoiding race conditions.


PoC Approach (Simplified Steps for Researchers)

ip netns add testns
ip netns exec testns tc qdisc add dev lo ingress
ip netns exec testns tc filter add dev lo ingress ...
# Attach chain to block 1 (requires specific TC filter commands)
ip netns exec testns tc qdisc replace dev lo clsact
ip netns del testns  # Triggers cleanup and potential UAF

Notes: Actual exploitation would require precise TC filter commands. However, bug reports suggest these steps can trigger the crash reliably.


Old approach: Used a simple boolean flag (miniq_active) to track if a tcx_entry was needed.

- Broke when two qdiscs shared the same TC block: one would free the entry, leaving the other with a dangling pointer.

Key insight

All modifications are done while holding the RTNL lock, so kernel concurrency issues don’t matter here, keeping it simple but accurate.

Result:
No more use-after-free, as objects are only freed when all relevant users are gone.


Original commit fix and discussion:

Linux Kernel Mailing List Patch ("bpf: Fix too early release of tcx_entry")

CVE Details:

Mitre CVE-2024-41010

Linux "tc" man page:

iproute2 tc documentation

See net/sched/cls_api.c and related files in the Linux kernel source.


Summary:
*CVE-2024-41010 was a subtle and dangerous bug in Linux’s traffic control codebase, opening up the potential for kernel UAF vulnerabilities by freeing chain-tracking objects too soon. Its fix is a lesson that a simple counter can sometimes prevent entire classes of lifetime management bugs in shared resources.*


*If you use containers, network namespaces, or rely on advanced Linux networking features, patch your kernel promptly. UAF bugs are a favorite target for kernel exploits!*

Timeline

Published on: 07/17/2024 07:15:02 UTC
Last modified on: 07/19/2024 15:24:59 UTC