CVE-2024-40907 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
ionic: fix kernel panic in XDP_TX action
In the XDP_TX path, ionic driver sends a packet to the TX path with rx page and corresponding dma address. After tx is done, ionic_tx_clean() frees that page. But RX ring buffer isn't reset to NULL. So, it uses a freed page, which causes kernel panic.
BUG: unable to handle page fault for address: ffff8881576c110c PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060 Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11 Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8 RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283 RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002 RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8 R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100 FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace:
? __die+0x20/0x70 ? page_fault_oops+0x254/0x790 ? __pfx_page_fault_oops+0x10/0x10 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? search_bpf_extables+0x165/0x260 ? fixup_exception+0x4a/0x970 ? exc_page_fault+0xcb/0xe0 ? asm_exc_page_fault+0x22/0x30 ? 0xffffffffc0051f64 ? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f ? do_raw_spin_unlock+0x54/0x220 ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
ionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
__napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x7e7/0xc30 ? __pfx_net_rx_action+0x10/0x10
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/15/2024
The vulnerability described in CVE-2024-40907 affects the Linux kernel's ionic network driver, specifically within the XDP_TX (eXpress Data Path transmit) action pathway. This flaw arises from improper memory management during packet processing, leading to a kernel panic when the system attempts to access a freed memory page. The ionic driver is responsible for managing network interfaces on certain Intel Ethernet controllers, and its integration with the XDP framework allows for high-performance packet processing directly in the kernel bypassing traditional network stack layers. The issue manifests when a packet is transmitted via XDP_TX and subsequently processed through the transmit cleanup function ionic_tx_clean(), which correctly frees the associated memory page but fails to reset the corresponding RX ring buffer entry to NULL. This oversight leaves a dangling pointer that continues to reference freed memory, causing the kernel to crash when it attempts to access this invalid memory location during subsequent packet processing operations.
The technical root cause of this vulnerability aligns with CWE-415: Double Free and CWE-416: Use After Free, both of which are common in kernel memory management scenarios where improper state tracking leads to access of deallocated resources. The crash occurs in the context of BPF (Berkeley Packet Filter) program execution, specifically within the balancer_ingress function, indicating that the vulnerability is triggered when BPF programs are applied to packets processed through the XDP path. The kernel panic results from a page fault at address ffff8881576c110c, which corresponds to the freed page that the RX ring buffer still points to. The stack trace demonstrates the execution flow from the NAPI polling mechanism through the ionic driver's service functions, ultimately failing when the system attempts to dereference a freed page pointer. The use of XDP actions combined with BPF programs creates a complex memory access pattern that makes this type of memory corruption particularly challenging to detect and prevent.
The operational impact of this vulnerability is significant, as it can lead to complete system crashes and denial of service on affected systems running the Linux kernel with the ionic driver and XDP-enabled network configurations. Systems utilizing high-performance networking features such as XDP, BPF programs, or load balancing through kernel space will be particularly vulnerable. The vulnerability affects systems where the ionic driver is actively processing network traffic through XDP_TX actions, potentially including servers running high-throughput network applications, network virtualization platforms, or systems implementing advanced traffic management policies. The crash occurs during normal packet processing operations, meaning that even benign network traffic can trigger the vulnerability, making it particularly dangerous in production environments where system stability is critical. Attackers could potentially exploit this vulnerability to cause persistent denial of service, though direct remote code execution is not implied by the description, the kernel panic would effectively render the affected system unusable until reboot.
Mitigation strategies for this vulnerability involve applying the official kernel patch that addresses the improper memory management in the ionic driver's XDP_TX path. The fix requires ensuring that the RX ring buffer entries are properly reset to NULL after packet processing is complete, preventing the use of freed memory references. System administrators should immediately update to kernel versions that include the patched ionic driver implementation, typically those containing the commit that resolves the memory management issue. Organizations using XDP and BPF features should also review their network configurations to ensure that no unnecessary XDP actions are being performed on interfaces that may be vulnerable. Monitoring for kernel oops messages or system crashes related to ionic driver operations can help identify systems that may not have been properly patched. Additionally, implementing network traffic filtering rules that avoid triggering the problematic XDP_TX code path can serve as a temporary workaround while patches are deployed. The vulnerability highlights the importance of thorough memory management practices in kernel space, particularly when dealing with high-performance networking features that involve complex state tracking and memory reuse patterns.