In the Linux kernel, a vulnerability involving the TCP_BPF sk_mem_uncharge logic was recently discovered and resolved. This vulnerability, identified as CVE-2024-56633, could lead to incorrect memory accounting and cause warnings during selftest.

Details

The vulnerability stems from the sk memory accounting logic in the __SK_REDIRECT function. The logic involves pre-uncharging 'tosend' bytes, which can either be msg->sg.size or a smaller value 'apply_bytes'. There are potential issues existing within this strategy:

1. If the actual sent bytes are smaller than 'tosend', we would need to charge some bytes back as in line 487. Although this works, it is not a clean solution.

2. When 'tosend' is set to 'apply_bytes' (as in line 417) and (ret < ), we may miss uncharging (msg->sg.size - apply_bytes) bytes.

Code Snippet

415 tosend = msg->sg.size;
416 if (psock->apply_bytes && psock->apply_bytes < tosend)
417   tosend = psock->apply_bytes;
[...]
443 sk_msg_return(sk, msg, tosend);
444 release_sock(sk);
446 origsize = msg->sg.size;
447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,
448                             msg, tosend, flags);
449 sent = origsize - msg->sg.size;
[...]
454 lock_sock(sk);
455 if (unlikely(ret < )) {
456   int free = sk_msg_free_nocharge(sk, msg);
458   if (!cork)
459     *copied -= free;
460 }
[...]
487 if (eval == __SK_REDIRECT)
488   sk_mem_charge(sk, tosend - sent);
[...]

When running the selftest 'test_txmsg_redir_wait_sndmem' with 'txmsg_apply', a warning is reported as shown below:

------------[ cut here ]------------
WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+x190/x1a
...
---[ end trace 000000000000000 ]---

To address this issue, the uncharging process should be delayed until the sent bytes are finalized. This can be achieved by uncharging the finalized value. Additionally, when (ret < ), 'sk_msg_free' should be invoked.

The same problem persists in the __SK_DROP case, where we may miss uncharging (msg->sg.size - apply_bytes) bytes, and the same warning may appear in the selftest. Therefore, we need to change 'sk_msg_free_partial' to 'sk_msg_free'.

References

The original patches detailing the vulnerability and its resolution can be found in the following links:

1. Patch 1/2
2. Patch 2/2

Conclusion

The TCP_BPF memory accounting vulnerability in the Linux kernel has been resolved with the appropriate changes to the '__SK_REDIRECT' and '__SK_DROP' cases. These changes will result in more efficient and secure memory accounting in the Linux kernel. If you're using the Linux kernel, it's crucial to apply the latest security updates and patches to ensure your system remains protected against potential exploits.

Timeline

Published on: 12/27/2024 15:15:22 UTC
Last modified on: 01/20/2025 06:24:33 UTC