CVE CyberSecurity Database News

CVE-2024-49571 - Critical Linux Kernel Vulnerability in net/smc and How It Was Fixed

Poster -

The Linux kernel is often at the heart of our most trusted infrastructure, powering servers, cloud stacks, and millions of devices. However, from time to time, vulnerabilities sneak into its code—one such flaw was discovered and patched recently: CVE-2024-49571. This vulnerability existed in the net/smc (Shared Memory Communications) subsystem of the Linux kernel and had the potential to crash systems remotely with a malformed message. In this post, I'll explain, in plain English, what CVE-2024-49571 is, how the bug could be exploited, show you the relevant code snip, and provide links for you to dive deeper.

What Is CVE-2024-49571?

In SMC (Shared Memory Communications) networking, the kernel's server receives a proposal message from a remote client and uses several fields from this message to process the request. Two of these fields—iparea_offset and ipv6_prefixes_cnt—did not have proper bounds checking. Since these fields come from the client, a malicious or buggy client could send unexpected values (like huge numbers), which would cause the kernel to access memory it shouldn't, leading to a crash (kernel panic), or possibly more severe consequences.

Vulnerable Code (Before the Patch)

/* Processing incoming proposal msg */
struct smc_proposal *proposal = get_proposal_msg();
u32 iparea_offset = proposal->iparea_offset;
u32 ipv6_prefixes_cnt = proposal->ipv6_prefixes_cnt;

/* These values are used without checking */
struct smc_iparea *iparea = &msg->iparea[iparea_offset];

/* ...Could cause invalid memory access if iparea_offset is too large! */

Problem:
There was no check to see if iparea_offset or ipv6_prefixes_cnt had "sane" values. If iparea_offset was way too large, the server could read from memory it shouldn't, causing a crash.

The maintainers added checks like this

/* Added sanity checks before using values from client */
if (iparea_offset >= MAX_IPAREA || ipv6_prefixes_cnt > MAX_IPV6_PREFIXES) {
    // log error and reject the proposal
    return -EINVAL;
}

struct smc_iparea *iparea = &msg->iparea[iparea_offset];

/* Now we know iparea_offset is safe to use */

Fix:
Now, before the kernel trusts and uses the values, it checks if they’re within safe limits. If not, it rejects the message.

How Could This Be Exploited?

A bad actor could send a proposal message with a huge iparea_offset or ipv6_prefixes_cnt. When the Linux server running the vulnerable kernel code receives it:

The calculation would reference out-of-bounds memory.

- This could lead to a kernel crash (denial of service), which is bad especially for servers, clusters, or any internet-facing system using SMC.

In the worst-case scenario, if other exploit primitives are chained, remote code execution could be possible, but there is no evidence of this for CVE-2024-49571 so far.

A proof-of-concept for the attack would look something like this (in highly simplified pseudocode)

# Simulated client: sends malicious values to the server

proposal_msg = {
    'iparea_offset': xFFFFFFFF,  # crazy big
    'ipv6_prefixes_cnt': x100,   # just as bad
    # other required fields...
}
send_to_kernel_server(proposal_msg)

On a vulnerable server, this could lead to a crash when the kernel dereferences the wrong memory location.

Who's at Risk?

If you are running a server with the SMC subsystem enabled in the Linux kernel, especially in public or semi-public environments where untrusted clients can initiate SMC connections, you should upgrade immediately.

References and Further Reading

- Linux Kernel Patch Commit for CVE-2024-49571 (LKML)
- NVD Entry: CVE-2024-49571
- SMC subsystem documentation in Linux source tree

Conclusion

CVE-2024-49571 was a serious Linux kernel vulnerability in the net/smc code, caused by insufficient validation of values received from remote clients. By simply adding some basic sanity checks, the kernel maintainers prevented a potentially easily exploitable avenue for crashing vulnerable servers. If you operate Linux systems using SMC, update as soon as possible.

Timeline

Published on: 01/11/2025 13:15:24 UTC
Last modified on: 05/04/2025 09:39:27 UTC