CVE-2024-44973 in Linux
Summary
by MITRE • 09/04/2024
In the Linux kernel, the following vulnerability has been resolved:
mm, slub: do not call do_slab_free for kfence object
In 782f8906f805 the freeing of kfence objects was moved from deep inside do_slab_free to the wrapper functions outside. This is a nice change, but unfortunately it missed one spot in __kmem_cache_free_bulk.
This results in a crash like this:
BUG skbuff_head_cache (Tainted: G S B E ): Padding overwritten. 0xffff88907fea0f00-0xffff88907fea0fff @offset=3840
slab_err (mm/slub.c:1129) free_to_partial_list (mm/slub.c:? mm/slub.c:4036) slab_pad_check (mm/slub.c:864 mm/slub.c:1290) check_slab (mm/slub.c:?) free_to_partial_list (mm/slub.c:3171 mm/slub.c:4036) kmem_cache_alloc_bulk (mm/slub.c:? mm/slub.c:4495 mm/slub.c:4586 mm/slub.c:4635) napi_build_skb (net/core/skbuff.c:348 net/core/skbuff.c:527 net/core/skbuff.c:549)
All the other callers to do_slab_free appear to be ok.
Add a kfence_free check in __kmem_cache_free_bulk to avoid the crash.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/13/2024
The vulnerability described in CVE-2024-44973 represents a critical memory management flaw within the Linux kernel's SLUB (Simple List Uniform Block) allocator subsystem. This issue specifically affects the handling of kfence objects, which are used for kernel memory debugging and validation purposes. The vulnerability stems from an incomplete code modification that was intended to improve memory deallocation processes but inadvertently created a path where kfence objects could be processed through the standard slab free mechanism when they should be handled differently. The SLUB allocator is responsible for managing kernel memory allocations and deallocations, making it a fundamental component of system stability and security.
The technical root cause manifests in the __kmem_cache_free_bulk function where the code fails to properly check for kfence objects before invoking the standard slab free operations. This oversight creates a scenario where kfence objects, which have special handling requirements due to their debugging nature, are inadvertently processed through the regular do_slab_free path. The kernel's memory validation mechanisms detect this improper handling and trigger a crash with the specific error message indicating padding overwrites in the skbuff_head_cache. This type of memory corruption directly violates memory safety principles and can lead to system instability or potential exploitation.
The operational impact of this vulnerability is severe as it can cause immediate system crashes during normal operation when network packets are processed through the skbuff subsystem. The crash pattern shows that the error occurs during the free_to_partial_list function call chain, indicating that the memory corruption affects the slab management structures themselves. This vulnerability affects the fundamental memory allocation subsystem and can impact various network-related functions that rely on the skbuff cache, potentially causing denial of service conditions or system panics. The issue is particularly concerning because it affects the core kernel memory management without proper bounds checking, creating a potential attack surface for privilege escalation or system compromise.
The fix implemented addresses this vulnerability by adding a kfence_free check within the __kmem_cache_free_bulk function to prevent kfence objects from being processed through the standard slab free path. This remediation aligns with the principle of least privilege and proper resource management by ensuring that debugging objects maintain their specialized handling. The solution follows established security practices for kernel memory management and prevents the memory corruption that would otherwise occur when kfence objects are improperly processed. This vulnerability demonstrates the importance of thorough testing during kernel modifications and the critical nature of maintaining proper object type discrimination in memory management subsystems. The fix directly addresses the CWE-122 (Heap Buffer Overflow) and CWE-787 (Out-of-bounds Write) categories while preventing potential exploitation through improper memory access patterns that could be leveraged by malicious actors to compromise system integrity.