In June 2024, a vulnerability was disclosed in the Linux kernel's bonding driver, tracked as CVE-2024-44990. This subtle bug could crash your machine via a kernel NULL pointer dereference if the bonding code failed to check for an active slave before de-referencing a pointer in the bond_ipsec_offload_ok function.
Below, we’ll break down what went wrong, why it mattered, and show you the fixed code. (If you want to see the original commit, check here.)
What Is the Bonding Driver?
The Linux bonding driver (module: bonding) lets you group (or "bond") multiple network interfaces into a single logical interface for redundancy or increased throughput. Real-life setups often use it for improved network reliability.
What’s the Bug in Bonded Device Offloading?
Inside the kernel, the function bond_ipsec_offload_ok() verifies if IPsec network offloading can be supported. Before a recent fix, this function assumed that at least one "slave" network device was always active when it ran.
But take a look at this simplified line
struct slave *slave = bond->curr_active_slave;
ret = slave->dev->feature;
If there are no active slaves (curr_active_slave == NULL), slave->dev will cause a kernel panic (accessing memory at address ).
Real-World Impact
An attacker or buggy userspace process could trigger code paths where the bonding interface has no active slaves and then attempts to use offloading features. BOOM—your kernel panics, resulting in a denial of service.
The Fix: Check That Pointer
The solution is super simple: check that curr_active_slave isn’t NULL before accessing it.
Vulnerable snippet
struct slave *slave = bond->curr_active_slave;
// <-- bug here - no check!
return slave->dev->feature;
Patched version
struct slave *slave = bond->curr_active_slave;
// Fix: add a null check before using 'slave'
if (!slave)
return ; // or another safe value
return slave->dev->feature;
Relevant upstream patch:
https://git.kernel.org/linus/6e19c6ef04ce7ab6bc441abfa9f644e101e673ff
Exploit Scenario: How Could This Be Abused?
While no full public exploit is known yet (as of June 2024), here’s what a malicious script could try:
Remove all slave interfaces (detach them programmatically).
- Use (or trick something into using) the offload feature, causing code to run through bond_ipsec_offload_ok().
Proof-of-concept (PoC) sketch
# (1) Create bond, add slaves
ip link add bond type bond
ip link set eth1 master bond
ip link set eth2 master bond
# (2) Remove all slaves
ip link set eth1 nomaster
ip link set eth2 nomaster
# (3) Try to trigger the bond device with IPsec offload traffic
# (here you would need to generate IPsec traffic; see your distro's ip xfrm tools)
More complete PoCs may rely on interacting directly with netlink or kernel features, or by writing a C program to tickle the offload logic.
Who’s Affected?
Anyone running a recent Linux kernel using bonding network devices *and* any kind of feature that hits bond_ipsec_offload_ok() (e.g., IPsec offloading).
All major Linux distributions using versions before the fix.
- Docker/Kubernetes and hypervisor platforms using bond interfaces.
Upgrade your kernel to a version where this patch is merged.
- If you manage your system’s kernel manually, backport the null pointer check from the referenced commit.
References
- Linux kernel patch, "bonding: fix null pointer deref in bond_ipsec_offload_ok"
- Security Tracker Entry for CVE-2024-44990
- Linux Bonding Driver Documentation
Conclusion
CVE-2024-44990 is another example of how a missing null-pointer check—easy to make, hard to spot—can undermine Linux reliability and security. If you rely on bonded interfaces, double-check your kernel! Patch now to stay protected.
Timeline
Published on: 09/04/2024 20:15:08 UTC
Last modified on: 09/06/2024 16:31:12 UTC