CVE-2024-36937 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

xdp: use flags field to disambiguate broadcast redirect

When redirecting a packet using XDP, the bpf_redirect_map() helper will set up the redirect destination information in struct bpf_redirect_info (using the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination.

When using the BPF_F_BROADCAST flag to do multicast redirect to a whole map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct bpf_redirect_info to point to the destination map to be broadcast. And xdp_do_redirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdp_do_redirect() is called, the map pointer will be cleared out (by bpf_clear_redirect_map()) without waiting for any XDP programs to stop running. This causes xdp_do_redirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to dev_map_enqueue().

To fix this, change xdp_do_redirect() to react directly to the presence of the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/18/2025

The vulnerability described in CVE-2024-36937 affects the Linux kernel's eXpress Data Path implementation, specifically within the XDP packet redirection mechanism. This issue resides in the interaction between the bpf_redirect_map() helper function and the xdp_do_redirect() function, which together manage packet forwarding operations in high-performance network processing contexts. The flaw manifests when handling broadcast redirects to entire maps, creating a race condition that can lead to system crashes. The vulnerability impacts systems utilizing XDP for network packet processing, particularly those implementing multicast forwarding scenarios.

The technical root cause involves a race condition between map destruction and packet redirection processing. When a BPF_F_BROADCAST flag is used for multicast redirection, the __bpf_xdp_redirect_map() helper function stores the destination map pointer in the bpf_redirect_info structure. However, if the destination map is destroyed before xdp_do_redirect() executes, the map pointer gets cleared by bpf_clear_redirect_map() without waiting for all XDP programs to complete. This creates a scenario where xdp_do_redirect() receives inconsistent state information - it interprets the operation as a single-target redirect while the map pointer is NULL, leading to a NULL pointer dereference when dev_map_enqueue() is called. This race condition represents a classic concurrency issue where resource cleanup occurs before dependent operations complete, violating fundamental principles of memory safety in kernel space.

The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise network service availability and system stability. Systems relying on XDP for high-speed packet processing, particularly in data center environments, cloud infrastructure, or network security appliances, face significant risk. The vulnerability can be exploited through malicious packet injection that triggers the specific redirect path, potentially causing denial of service conditions. Network functions virtualization environments, containerized applications using XDP, and any system implementing BPF-based network processing are at risk. The crash occurs during packet processing, which means legitimate network traffic can be disrupted, and the system may require manual intervention to recover from the kernel panic.

The fix implemented addresses the core concurrency issue by modifying xdp_do_redirect() to directly check the BPF_F_BROADCAST flag in the flags field rather than relying on the potentially cleared map pointer. This approach maintains the existing atomic clearing mechanism for map pointers while ensuring proper disambiguation between broadcast and single-target redirects. The solution follows established kernel security patterns by avoiding additional overhead in the non-broadcast fast path while providing robust protection against the race condition. This remediation aligns with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and addresses ATT&CK techniques related to privilege escalation and denial of service through kernel vulnerabilities. The fix preserves existing performance characteristics while adding the necessary synchronization logic to prevent the NULL pointer dereference, demonstrating a careful balance between security and system efficiency.

Reservation

05/30/2024

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00225

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!