CVE-2024-56614: Linux Kernel xsk OOB Map Write Vulnerability

Recently, a Linux Kernel vulnerability has been addressed, related to out-of-bounds (OOB) map writes when deleting elements in the xsk_map_delete_elem function. The vulnerability exists due to improper comparison between an unsigned integer and a user-controlled signed integer, potentially leading to memory corruption and other undesirable consequences.

Vulnerability Details

In the Linux kernel, the xsk_map_delete_elem function compares an unsigned integer (map->max_entries) with a user-controlled signed integer (k). As a result of implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check:

    if (k >= map->max_entries)
        return -EINVAL;

This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in m->xsk_map[k], resulting in an out-of-bounds access:

    spin_lock_bh(&m->lock);
    map_entry = &m->xsk_map[k]; // Out-of-bounds map_entry
    old_xs = unrcu_pointer(xchg(map_entry, NULL)); // OOB write
    if (old_xs)
        xsk_map_sock_delete(old_xs, map_entry);
    spin_unlock_bh(&m->lock);

The xchg operation can then be used to cause an out-of-bounds write. Furthermore, the invalid map_entry passed to xsk_map_sock_delete can lead to further memory corruption.

The above issue results in a kernel panic, with the splat shown in this excerpt of the log

[76612.897343] BUG: unable to handle page fault for address: ffffc8fc2e461108
[76612.904330] #PF: supervisor write access in kernel mode
[76612.909639] #PF: error_code(x0002) - not-present page
---truncated---

Original Reference

The original discussion on this issue can be found here: Jordy's post in the kernel mailing list. This post also contains the patch that fixes this vulnerability.

Impact and Exploitation

An attacker could potentially exploit this vulnerability by providing a specifically crafted value for k, causing out-of-bounds memory access, memory corruption, and potentially compromising system security. As the vulnerability is present in kernel space, the impact could be significant.

Mitigation and Recommendation

The vulnerability has been addressed in the Linux kernel, so it is recommended to update to the latest stable version, applying the relevant patches. For those who cannot update immediately, limiting user access to the vulnerable function in question could provide a temporary solution.

In conclusion, the CVE-2024-56614 vulnerability highlights the importance of proper type handling and bound checking when working with user-controlled input. By doing so, developers can minimize the risk of out-of-bounds memory access and other security flaws, ensuring a more secure and stable system.

Timeline

Published on: 12/27/2024 15:15:20 UTC
Last modified on: 01/20/2025 06:24:11 UTC