CVE-2024-26953 in Linuxinfo

Summary

by MITRE • 05/01/2024

In the Linux kernel, the following vulnerability has been resolved:

net: esp: fix bad handling of pages from page_pool

When the skb is reorganized during esp_output (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through put_page. But if the skb fragment pages are originating from a page_pool, calling put_page on them will trigger a page_pool leak which will eventually result in a crash.

This leak can be easily observed when using CONFIG_DEBUG_VM and doing ipsec + gre (non offloaded) forwarding:

BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]
CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x36/0x50 bad_page+0x70/0xf0 free_unref_page_prepare+0x27a/0x460 free_unref_page+0x38/0x120 esp_ssg_unref.isra.0+0x15f/0x200 esp_output_tail+0x66d/0x780 esp_xmit+0x2c5/0x360 validate_xmit_xfrm+0x313/0x370 ? validate_xmit_skb+0x1d/0x330 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x23e/0x350 __dev_queue_xmit+0x337/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x25e/0x580 iptunnel_xmit+0x19b/0x240 ip_tunnel_xmit+0x5fb/0xb60 ipgre_xmit+0x14d/0x280 [ip_gre]
dev_hard_start_xmit+0xc3/0x1c0 __dev_queue_xmit+0x208/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x1ca/0x580 ip_sublist_rcv_finish+0x32/0x40 ip_sublist_rcv+0x1b2/0x1f0 ? ip_rcv_finish_core.constprop.0+0x460/0x460 ip_list_rcv+0x103/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x1b3/0x2c0 napi_gro_receive+0xc8/0x200 gro_cell_poll+0x52/0x90 __napi_poll+0x25/0x1a0 net_rx_action+0x28e/0x300 __do_softirq+0xc3/0x276 ? sort_range+0x20/0x20 run_ksoftirqd+0x1e/0x30 smpboot_thread_fn+0xa6/0x130 kthread+0xcd/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x31/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20

The suggested fix is to introduce a new wrapper (skb_page_unref) that covers page refcounting for page_pool pages as well.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/26/2026

The vulnerability described in CVE-2024-26953 resides within the Linux kernel's implementation of the Encapsulating Security Payload (ESP) subsystem, specifically affecting how pages from page_pool are handled during packet processing. This issue manifests when ESP packets are transmitted through non-offloaded GRE tunnels, creating a scenario where the kernel's memory management system encounters a critical resource leak. The problem stems from improper handling of page reference counting when packets are reorganized during ESP output operations, particularly when the system is configured with CONFIG_DEBUG_VM for enhanced memory debugging capabilities.

The technical flaw occurs during the esp_output function execution when processing packets that do not utilize inline processing. In such cases, the kernel attempts to release pages from the original skb fragments back to the system using the standard put_page function. However, when these pages originate from a page_pool, invoking put_page triggers a page_pool leak because the page_pool management system maintains its own reference counting mechanism that conflicts with the standard kernel page management. This conflict results in pages being retained in memory indefinitely, causing a gradual depletion of available memory resources and ultimately leading to system crashes.

The operational impact of this vulnerability is significant, particularly in environments utilizing IPsec with GRE tunneling configurations where packet forwarding occurs through the kernel's network stack. The vulnerability can be easily reproduced in systems with debugging enabled, as demonstrated by the kernel crash logs showing the "Bad page state" error and the explicit mention of "page_pool leak" in the error message. The crash typically occurs in the ksoftirqd/16 process, indicating that the issue arises during network packet processing in interrupt context, which can lead to complete system instability and denial of service conditions.

The suggested fix involves implementing a new wrapper function called skb_page_unref that properly handles page reference counting for both standard kernel pages and those originating from page_pool. This solution addresses the core issue by ensuring that when pages are released back to the system, the appropriate reference counting mechanism is used based on the page's origin. The fix aligns with established security practices for kernel memory management and follows the principles of proper resource handling as outlined in CWE-415, which deals with double free errors and improper resource management. The implementation also reflects ATT&CK technique T1499.001, which involves resource exhaustion through memory leaks, making this vulnerability particularly dangerous in network-facing systems where sustained packet processing can amplify the memory leak effect. The fix requires careful integration with existing kernel subsystems to maintain backward compatibility while addressing the specific page_pool interaction issue.

Reservation

02/19/2024

Disclosure

05/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!