CVE-2024-26615 in Linux
Summary
by MITRE • 03/11/2024
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix illegal rmb_desc access in SMC-D connection dump
A crash was found when dumping SMC-D connections. It can be reproduced by following steps:
- run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d -H 'Connection: Close'
- continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D'
BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
Call Trace: ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
smc_diag_dump+0x26/0x60 [smc_diag]
netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag]
? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76
It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/13/2024
The vulnerability described in CVE-2024-26615 resides within the Linux kernel's SMC-D (Scalable Memory Communication - Direct) subsystem, specifically affecting the connection dump functionality. This issue manifests as a kernel NULL pointer dereference when attempting to dump SMC-D connections through diagnostic tools such as smcss with the -D flag. The flaw occurs during the execution of the __smc_diag_dump function, which is part of the smc_diag kernel module responsible for providing diagnostic information about SMC connections. The crash happens at address 0x0000000000000030, indicating an attempt to access memory that has not been properly initialized, which is a classic symptom of improper state handling in concurrent systems.
The technical root cause of this vulnerability stems from a race condition in the SMC-D connection lifecycle management. During the connection establishment process, the smc_conn_create() function registers the connection in a link group, but the smc_buf_create() function that initializes the rmb_desc field has not yet been executed. This creates a window where a dump operation can access an uninitialized rmb_desc pointer, leading to the NULL pointer dereference. The vulnerability is particularly dangerous because it can be triggered through normal operational procedures involving nginx and wrk stress testing combined with continuous connection monitoring via watch command. The call trace demonstrates that the error originates from the __smc_diag_dump function which attempts to access conn->rmb_desc without proper validation, violating fundamental kernel safety principles.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling denial of service attacks against systems running SMC-D enabled applications. When exploited, the vulnerability can cause kernel oops messages and system instability, particularly in high-concurrency environments where SMC-D connections are actively established and monitored. The vulnerability affects systems running Linux kernel versions including 6.7.0 and potentially earlier versions where the SMC-D functionality is present. This creates a significant risk for enterprise environments that rely on high-performance networking protocols and continuous monitoring of connection states. The crash occurs in kernel space, which means that successful exploitation can lead to complete system instability and potential data loss, as the kernel cannot recover from such critical memory access violations.
Mitigation strategies for this vulnerability include immediate kernel updates to versions that contain the fix implemented by checking for proper initialization of rmb_desc before accessing it during dump operations. Administrators should also implement monitoring solutions to detect unusual patterns in SMC-D connection dumps that might indicate this vulnerability is being exploited. The fix involves adding proper validation checks in the __smc_diag_dump function to ensure that rmb_desc is properly initialized before any access attempts, aligning with CWE-476 which addresses NULL pointer dereference issues. Additionally, system administrators should consider disabling SMC-D functionality if it is not required for their specific use cases, particularly in environments where the risk of concurrent connection establishment and dump operations is high. The ATT&CK framework categorizes this as a system compromise through kernel exploitation, with techniques such as privilege escalation and denial of service being potential outcomes of this vulnerability.