CVE-2024-53094 - Linux Kernel RDMA/SIW – How a Sendpage Check Fixed a Sneaky Kernel Crash

A newly assigned Linux kernel vulnerability, CVE-2024-53094, fixes a critical but subtle bug in the way the Software iWARP (SIW) RDMA driver handled certain network operations. If you’re using RDMA applications like iSER over SIW, this bug could make your system crash or behave unpredictably. This post explains what happened, shows the problematic code, why it broke, how it got fixed, and provides exploit details to help you understand the risks.

What is the Problem?

When using SIW (Software iWARP), a type of RDMA (Remote Direct Memory Access) in Linux, the kernel may try to send data via network buffers attached to slab pages (memory pages used by the Linux slab allocator, not regular “file-backed” memory pages). If you use splice() or similar syscalls that attempt zero-copy networking, the kernel can wrongly try to send those slab-backed pages directly down the socket stack. That’s a big no-no.

The broken flow shows up as a warning like this

WARNING: CPU:  PID: 5342 at net/core/skbuff.c:714 skb_splice_from_iter+x173/x320
  Call Trace:
   tcp_sendmsg_locked+x368/xe40
   siw_tx_hdt+x695/xa40 [siw]
   siw_qp_sq_process+x102/xb00 [siw]
   siw_sq_resume+x39/x110 [siw]
   siw_run_sq+x74/x160 [siw]
   kthread+xd2/x100
   ret_from_fork+x34/x40
   ret_from_fork_asm+x1a/x30

What Caused It?

The SIW driver didn’t check if the lower-level network driver could actually handle the “zero-copy” pages. The MSG_SPLICE_PAGES flag tells the kernel “you can send pages directly,” but not all socket types support this. The right thing to do is call sendpage_ok() to ask the network stack if this trick is allowed.

Similar bugs have happened before, such as in NVMe-over-TCP (Discussion Thread).

The Patch: How Developers Fixed It

Here’s the short fix: before sending the message, check if the network stack is OK with direct page sending. If not, clear the MSG_SPLICE_PAGES flag so the kernel falls back to the safe (slower) path.

Relevant Patch (simplified for clarity)

// In the SIW driver, before sending the message...
struct socket *sock = ...;
int flags = ...; // includes MSG_SPLICE_PAGES

// Check if zero-copy sendpage is OK
if (!sock->ops->sendpage_ok || !sock->ops->sendpage_ok(sock)) {
    flags &= ~MSG_SPLICE_PAGES; // Remove zero-copy optimization
}

// Now pass 'flags' to the kernel's sendmsg/sendpage function

What this change does:
If the network type isn't safe for direct page splicing, it disables zero-copy, avoiding the warning and crash.

Exploit Details (How an Attacker Could Use This Bug)

This bug isn’t directly a privilege escalation or remote exploit, but in real-world cloud or storage scenarios, it can be used to crash servers or trigger a denial of service, especially where iSER (iSCSI Extensions for RDMA) over SIW is used with splicing-heavy workloads.

Exploitation Scenario

1. Systems Affected: Any Linux server with the SIW module loaded and RDMA workloads (iSER or others) using splice/sendfile API.
2. Attack Vector: Malicious user or crafted workload triggers RDMA data transfers that induce slab page use, while the kernel is missing this patch.

You can crash a vulnerable kernel with

# This only works if SIW/iSER is set up and you control both ends.
import socket, os

fd = os.open('/dev/zero', os.O_RDONLY)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('target-rdma-ip', 326)) # iSER default port

# Send a large file using splice or sendfile (simulate heavy RDMA traffic)
os.sendfile(sock.fileno(), fd, , 1048576) # 1MB

With the bug, the kernel may crash with the previously shown warning.

How to Stay Safe

- Update to a Linux kernel with the patch for CVE-2024-53094 included (see official Linux kernel commit, soon to mainline).
- If you use SIW but can't upgrade, avoid using splice/sendfile over iSER workloads.

References

- Upstream Patch Discussion
- Linux kernel source history
- CVE Details database entry (pending)
- RDMA/siw: Add sendpage_ok() check to disable MSG_SPLICE_PAGES

Conclusion

CVE-2024-53094 is a great example of how subtle differences in memory or buffer handling can bubble up into crashing bugs on modern, high-performance servers. If you manage Linux servers with RDMA over SIW, make sure you’re up to date. A few lines of defensive code can save you from nasty surprises and production outages.

Timeline

Published on: 11/21/2024 19:15:12 UTC
Last modified on: 12/24/2024 15:07:35 UTC