CVE-2024-26921: inet: inet_defrag: prevent sk release while still in use
In the Linux kernel, the following vulnerability has been resolved:
inet: inetdefrag: prevent sk release while still in use
iplocalout() and other functions can pass skb->sk as function argument.
If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released.
This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ctact.c, when run as part of tx pipeline.
Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ipdefrag() in output path is also implying skborphan(), which is buggy because output path relies on sk not disappearing.
A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ipdefrag()")
[..]
net/ipv4/ipoutput.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one.
If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly.
We need to change ipdefrag() to only use skborphan() when really needed, ie whenever fraglist is going to be used.
Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this:
If skb is refragmented again right after, ipdofragment() will copy head->sk to the new fragments, and sets up destructor to sockwfree. IOW, we have no choice but to fix up skwmem accouting to reflect the fully reassembled skb, else wmem will underflow.
This change moves the orphan down into the core, to last possible moment. As ipdefragoffset is aliased with skbuff->sk member, we must move the offset into the FRAGCB, else skb->sk gets clobbered.
This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue.
In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine.
In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inetfrag inflates truesize.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
inet: inetdefrag: prevent sk release while still in use
The Linux kernel CVE team has assigned CVE-2024-26921 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024041819-CVE-2024-26921-e3b3@gregkh/T
— Red Hat
Linux Kernel is vulnerable to a denial of service, caused by a buffer underflow when skb fragments reassembled via netfilter or similar modules. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
— IBM
Affected Software
Remediation
Event History
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
What is the severity of CVE-2024-26921?
The severity of CVE-2024-26921 is classified as moderate, indicating a potential impact on system stability.
How do I fix CVE-2024-26921?
To fix CVE-2024-26921, users should update their Linux kernel to versions 6.1.85, 6.6.26, 6.8.5, or 6.9 according to their distribution.
What systems are affected by CVE-2024-26921?
CVE-2024-26921 affects various versions of the Linux kernel as provided by Red Hat and Debian distributions.
What is the nature of the vulnerability in CVE-2024-26921?
CVE-2024-26921 is related to improper handling of socket buffer integrity during packet processing in the Linux kernel.
When was CVE-2024-26921 published?
CVE-2024-26921 was published on February 6, 2024.