CVE-2024-42139 - Linux Kernel ICE extts Event Handling Bug – Explained with Exploit Details

A newly disclosed vulnerability, CVE-2024-42139, affects the Linux kernel’s ICE (Intel Ethernet Controller) PTP (Precision Time Protocol) functionality. If you run high-precision time synchronization applications using Ethernet controllers with hardware timestamping, this bug is important to understand. We'll break down the bug, show where the code went wrong, provide practical exploit details, and link to further resources.

What Is CVE-2024-42139?

CVE-2024-42139 is a vulnerability in the Linux kernel’s ice driver, related to mishandling of "extts" (external timestamp) events. When an application like ts2phc enables extts events and the driver is removed while the app is running, the kernel can crash because extts events don't get disabled properly. If you reload the driver and restart the application, leftover extts events will keep firing, leading to error messages and possible further instability.

Why Is This Dangerous?

- Kernel Crash: A non-privileged user running time sync software (like ts2phc or ptp4l) can potentially crash the whole system by simply requesting timestamps and removing the ice kernel module.
- Device Instability: Even after a reboot, repeated errors can continue because the events aren't cleaned up until the system is completely reset.

Technical Details and Vulnerable Code

The ICE driver should disable all extts events when its PTP (Precision Time Protocol) device is released. The bug is that these events stayed enabled, leading to dangling and unexpected behavior.

Here’s a simplified look at the (fixed) logic in the ice_ptp_release() function

// Poor handling before the fix:
static void ice_ptp_release(struct ice_pf *pf)
{
    // ... 
    // Missing: extts disable code.
}

// Fixed version:
static void ice_ptp_release(struct ice_pf *pf)
{
    // Properly disable extts events on all channels
    for (int i = ; i < MAX_EXTTS_CHANNELS; ++i) {
        if (pf->extts[i].enabled) {
            ice_ptp_extts_disable(pf, i);
        }
    }
}

What went wrong:
When the kernel module was removed/unloaded (rmmod ice), the cleanup failed to disable hardware extts events. These persisted, and when the module loaded again, it caused "extts on unexpected channel" messages and potential memory corruption or crashes.

Optional: Re-insert the driver and restart ts2phc.

Result:
The system may crash with a kernel panic, or the application will report repeated "extts on unexpected channel" errors, and performance degrades. Malicious actors can use this to cause DoS on time-sensitive infrastructure.

Update your kernel:

Ensure your system is running a Linux kernel version that includes the fix for CVE-2024-42139 (released June 2024).

Monitor for suspicious log messages:

Check dmesg or /var/log/messages for repeated "extts on unexpected channel" messages.

Further Reading & References

- Linux Kernel Patch Commit
- CVE-2024-42139 on NVD
- ts2phc utility
- PTP (Precision Time Protocol) in Linux

Why This Matters

If you use precision timekeeping in your Linux infrastructure—a key feature in financial trading, telecom, industrial control, and datacenter environments—this kernel bug could let ordinary users crash core systems. Given how easy it is to trigger (just run ts2phc and remove the ice driver), updating is critical.


Stay current, stay safe. If you want more deep dives like this, let us know!

Timeline

Published on: 07/30/2024 08:15:05 UTC
Last modified on: 12/11/2024 15:13:24 UTC