CVE-2024-26675 in Linux
Summary
by MITRE • 04/02/2024
In the Linux kernel, the following vulnerability has been resolved:
ppp_async: limit MRU to 64K
syzbot triggered a warning [1] in __alloc_pages():
WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)
Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")
Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)
[1]:
WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 Modules linked in: CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: events_unbound flush_to_ldisc pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 sp : ffff800093967580 x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 Call trace: __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 __alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
__kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 __do_kmalloc_node mm/slub.c:3969 [inline]
__kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 netdev_alloc_skb include/linux/skbuff.h:3235 [inline]
dev_alloc_skb include/linux/skbuff.h:3248 [inline]
ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]
ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 receive_buf drivers/tty/tty_buffer.c:444 [inline]
flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/17/2025
The vulnerability CVE-2024-26675 affects the Linux kernel's ppp_async module, specifically within the ppp_async_ioctl function when handling the PPPIOCSMRU command. This issue arises from a lack of proper input validation for Maximum Receive Unit (MRU) values, which can lead to excessive memory allocation requests that exceed system limits. The warning message indicates a failure in the __alloc_pages function where an order parameter exceeds MAX_PAGE_ORDER, suggesting that the kernel attempted to allocate an amount of memory that surpasses the maximum allowed page order threshold. This condition can result in system instability or denial of service due to memory allocation failures. The vulnerability is classified under CWE-122 as insufficient input validation, which allows for improper memory handling and potential exploitation. The flaw is particularly concerning in environments where PPP (Point-to-Point Protocol) asynchronous connections are used, such as dial-up networks or certain embedded systems. The issue manifests when an attacker or malicious process sets an MRU value that is excessively large, triggering the kernel to attempt allocating memory that cannot be satisfied by the system's current memory management capabilities. This type of vulnerability aligns with ATT&CK technique T1059.001, which involves the use of command and scripting interpreters, potentially through crafted PPP configurations that leverage the kernel's memory allocation mechanisms.
The technical root cause stems from the absence of a sanity check in the ppp_async_ioctl function before processing MRU values. The fix implemented mirrors a previous solution from commit c0a2a1b0d631, which established a limit of 64K for MRU values to prevent memory allocation issues. This approach directly addresses the immediate problem by bounding the input to reasonable limits, preventing the kernel from attempting to allocate memory blocks that would otherwise exceed the system's page allocation capabilities. The kernel's memory management subsystem, specifically the page allocation routines in mm/page_alloc.c, generates the warning when it encounters an allocation request that cannot be fulfilled due to exceeding MAX_PAGE_ORDER. The call trace shows the allocation path originating from ppp_async_input through several kernel networking components including skbuff allocation functions, indicating that the vulnerability impacts the entire PPP asynchronous data path. This vulnerability represents a classic case of insufficient input validation leading to resource exhaustion, where an attacker can manipulate the MRU parameter to force the kernel into a state where it cannot satisfy memory allocation requests. The fix ensures that MRU values are constrained to 64K, which aligns with standard PPP protocol limitations and prevents the system from attempting allocations that would otherwise cause kernel panic or system instability.
The operational impact of this vulnerability extends beyond simple denial of service, as it can lead to complete system crashes or unavailability of network services that rely on PPP asynchronous connections. Systems running vulnerable kernels may experience unexpected restarts or lockups when malicious or malformed MRU values are processed, particularly in environments with high network traffic or automated network management systems. The vulnerability affects any system using the ppp_async module, which includes various network configurations such as dial-up connections, serial PPP links, and certain embedded network appliances. The potential for exploitation is significant because the MRU parameter can be modified through standard ioctl interfaces, making it accessible to both local and potentially remote attackers. Network administrators should be aware that systems with PPP asynchronous capabilities, especially those in production environments, are at risk. The fix implements a defensive programming approach by enforcing upper bounds on user-controllable parameters, which is consistent with the principle of least privilege and input sanitization. This vulnerability demonstrates the importance of proper parameter validation in kernel space, where input from user-space processes can directly impact system stability and resource availability. The impact is particularly severe in systems where PPP services are critical, such as legacy network infrastructure or embedded devices that rely on serial communication protocols.
Mitigation strategies for this vulnerability involve applying the kernel patch that enforces the 64K MRU limit, which should be prioritized in all production environments. System administrators should also consider monitoring for unusual MRU value changes through logging or intrusion detection systems, as such modifications may indicate malicious activity or misconfiguration. The fix should be applied across all systems running affected kernel versions, particularly those with PPP asynchronous capabilities. Additional protective measures include restricting access to PPP ioctl interfaces where possible, implementing proper input validation at higher levels of the network stack, and ensuring that all kernel updates are applied promptly. Network segmentation and access control can help limit the potential impact if an attacker manages to exploit this vulnerability through a compromised system. Organizations should also consider implementing automated patch management processes to ensure timely deployment of security fixes. The vulnerability highlights the need for comprehensive testing of kernel modules under various input conditions, particularly those involving memory allocation and user-controllable parameters. Regular security audits of kernel configurations and network services can help identify potential exposure points. The solution aligns with security best practices for kernel development and demonstrates the importance of defensive programming techniques in preventing resource exhaustion attacks. This vulnerability serves as a reminder of the critical nature of kernel security and the potential for seemingly minor input validation issues to result in significant system stability problems.