CVE-2024-42108 - Deep Dive Into a Linux Kernel Use-After-Free in `rswitch_poll()`

On June 2024, the Linux community patched a critical issue in the kernel’s Realtek Switch (rswitch) driver. Registered as CVE-2024-42108, this vulnerability is a classic use-after-free (UAF) condition triggered during packet processing, specifically in the rswitch_poll() function. This post gives you the low-down, practical code examples, demonstrated exploitability, and original sources—all in plain English.

The Problem: Use-After-Free in rswitch_poll()

The offending code resided in the net/ethernet/renesas/rswitch.c file, part of a network driver for Realtek hardware. The rswitch_poll() function handles network events and, as part of its logic, calls the inlined rswitch_tx_free() function.

What Happened?

- The driver maintains a list of outbound buffer pointers, each pointing to an sk_buff (the structure the kernel uses to manage packets).

In Code

Old (vulnerable) logic:

// Unsafe: Use-after-free
dev_kfree_skb_any(skb);         // Frees the buffer
stats->tx_bytes += skb->len;    // Dangling pointer usage!

Fixed logic:

// Safe
stats->tx_bytes += skb->len;    // Use the buffer
dev_kfree_skb_any(skb);         // Then free it

What Makes It Dangerous?

Use-after-free bugs are notorious for enabling kernel data leaks or code execution. If an attacker can trigger the faulty code and control what gets allocated after the buffer is freed, they could potentially:

How Can You Reproduce This?

KFENCE (Kernel Electric Fence), a kernel memory error detector, will catch this bug instantly. But even without advanced tools, anyone with access to a vulnerable kernel and this NIC driver can trigger the bug just by sending ordinary network traffic—for example, ARP or ICMP (ping) packets.

From another machine, ping (ping <target-ip>) or ARP probe the machine using the driver.

3. Watch dmesg/logs:

Exploit Details (and Code Example)

While this specific bug is a “simple” use-after-free, real exploitation would depend on kernel memory reuse—hard to guarantee, but not impossible.

Simulated Exploit Concept

Goal: See if kernel memory for an sk_buff can be reallocated before the stats pointer is used.

Pseudo-code PoC

void trigger_uaf(int fd) {
    // This causes the kernel to allocate and release a tx buffer
    write(fd, pkt_data, pkt_len); // send packet
    // Now, spam allocations to try to take over freed memory
    for (int i = ; i < 100; ++i)
        alloc_fake_skb();  // e.g., send more packets or use some other kernel API

    // Watch for stats corruption, crash, or dmesg errors!
}

Realistic Risk

In a typical system, the race window is slim, but determined adversaries could abuse patterns like this for DoS or data leaks.

Patch Commit:

net: rswitch: Avoid use-after-free in rswitch_poll()

CVE Record:

CVE-2024-42108 on cve.org

Kernel code context:

rswitch.c (Linux mainline source)

If you use Realtek rswitch hardware with Linux pre-patch, yes.

Fix:

Exploitability

- This is not a remote code execution risk outright, but *any* UAF in kernel is a serious stability and security concern.

Summary

CVE-2024-42108 is a textbook case of use-after-free, fixed by simply reordering two lines in the Linux kernel’s rswitch driver. If you operate Linux networking on Realtek hardware, upgrading ASAP is a must. Even if not easily weaponized, leaving these flaws open is risky and unnecessary.

Further reading

- Linux Kernel Mailing List - Patch Discussion
- LMG: Use-After-Free Explanations


*If you found this useful, share or comment below! Questions about specifics? Let me know!*

Timeline

Published on: 07/30/2024 08:15:03 UTC
Last modified on: 08/21/2024 20:52:35 UTC