Skip to content

[LTS 8.6] tipc: fix UAF in error path #291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 29, 2025
Merged

[LTS 8.6] tipc: fix UAF in error path #291

merged 1 commit into from
May 29, 2025

Conversation

pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented May 26, 2025
edited
Loading

[LTS 8.6]
CVE-2024-36886
VULN-5314

Problem

https://www.zerodayinitiative.com/advisories/ZDI-24-821/

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with TIPC bearer enabled are vulnerable.

The specific flaw exists within the processing of fragmented TIPC messages. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

Applicability

The vulnerability applies to ciqlts8_6 as the tipc module is enabled:

configs/kernel-x86_64.config:

CONFIG_TIPC=m
CONFIG_TIPC_CRYPTO=y
CONFIG_TIPC_DIAG=m
CONFIG_TIPC_MEDIA_IB=y
CONFIG_TIPC_MEDIA_UDP=y

Solution

The bugfix is given in 080cbb8 in the mainline. Applies to ciqlts8_6 without any changes and surprises.

kABI check: passed

DEBUG=1 CVE=CVE-2024-36886 ./ninja.sh _kabi_checked__$(uname -m)--test--ciqlts8_6-CVE-2024-36886

ninja: Entering directory `/data/build/rocky-patching'
[0/1] Check ABI of kernel [ciqlts8_6-CVE-2024-36886]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts8_6/build_files/kernel-src-tree-ciqlts8_6-CVE-2024-36886/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts8_6-CVE-2024-36886/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Coverage

android, bpf (except test_progs, test_kmod.sh, test_xsk.sh, test_progs-no_alu32, test_sockmap), breakpoints, capabilities, core, cpu-hotplug, cpufreq, efivarfs, exec, firmware, fpu, ftrace, futex, gpio, intel_pstate, ipc, kcmp, kexec, kvm, lib, livepatch, membarrier, memfd, memory-hotplug, mount, net/forwarding (except mirror_gre_bridge_1d_vlan.sh, ipip_hier_gre_keys.sh, tc_actions.sh, sch_ets.sh, sch_tbf_root.sh, sch_tbf_ets.sh, mirror_gre_vlan_bridge_1q.sh, sch_tbf_prio.sh), net/mptcp (except simult_flows.sh), net (except udpgso_bench.sh, ip_defrag.sh, reuseaddr_conflict, udpgro_fwd.sh, gro.sh, xfrm_policy.sh, reuseport_addr_any.sh, txtimestamp.sh), netfilter (except nft_trans_stress.sh), nsfs, proc, pstore, ptrace, rseq, sgx, sigaltstack, size, splice, static_keys, tc-testing, timens, timers (except raw_skew), tpm2, vm, x86, zram

Reference

kselftests–ciqlts8_6–run1.log
kselftests–ciqlts8_6–run2.log
kselftests–ciqlts8_6–run3.log

Patch

kselftests–ciqlts8_6-CVE-2024-36886–run1.log
kselftests–ciqlts8_6-CVE-2024-36886–run2.log
kselftests–ciqlts8_6-CVE-2024-36886–run3.log

Comparison

Test results for the reference and patch are the same.

./ktests.xsh diff -d kselftests*.log

Column    File
--------  ----------------------------------------------
Status0   kselftests--ciqlts8_6--run1.log
Status1   kselftests--ciqlts8_6--run2.log
Status2   kselftests--ciqlts8_6--run3.log
Status3   kselftests--ciqlts8_6-CVE-2024-36886--run1.log
Status4   kselftests--ciqlts8_6-CVE-2024-36886--run2.log
Status5   kselftests--ciqlts8_6-CVE-2024-36886--run3.log

To be fair there isn't any selftest even mentioning tipc, let alone testing it.

grep -R tools/testing/selftests -i -e tipc; echo $?

1

Specific tests: dropped

The RedHat bug page https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-36886 mentions what seems to be a discussion fragment between sam4k and someone from kernel.org:

Summary:
A UAF bug exists within the reassembly of fragmented TIPC messages, specifically in `tipc_buf_append()` function. The issue results due to a lack of checks in the error handling cleanup. It leads to UAF on `struct sk_buff`. Note: The vulnerable path can also be reached in a very similar manner via `TUNNEL_PROTOCOL` messages

The bug can be triggered in local without any permission and capability:

./poc "127.0.0.1" l

The victim requires the below config on ubuntu in order to trigger it remotely. This enables the TIPC bearer on the interface:
```
modprobe tipc
tipc bearer enable media udp name UDP1 localip [victim IP]
./poc "[victim IP]" r
```

References:
https://lore.kernel.org/all/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com/
https://lore.kernel.org/linux-cve-announce/2024053033-CVE-2024-36886-dd83@gregkh/T/#u

An attempt was made to get this poc program for testing purposes. This led to finding sam4k's blog page dedicated to this very CVE: https://sam4k.com/zdi-24-821-a-remote-use-after-free-in-the-kernels-net-tipc/. Although the article covers every possible technical detail the key element is missing

Exploitation

Unfortunately I haven't had the time to work on putting together an exploit for this vulnerability, though I'd love to set some time aside in the future. Sorry! :(

If it can't be found there it's probably not on clearnet anywhere.

@pvts-mat
tipc: fix UAF in error path
f254fab 
jira VULN-5314
cve CVE-2024-36886
commit-author Paolo Abeni <[email protected]>
commit 080cbb8

Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported
a UAF in the tipc_buf_append() error path:

BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0
linux/net/core/skbuff.c:1183
Read of size 8 at addr ffff88804d2a7c80 by task poc/8034

CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 ctrliq#1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.0-debian-1.16.0-5 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack linux/lib/dump_stack.c:88
 dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106
 print_address_description linux/mm/kasan/report.c:377
 print_report+0xc4/0x620 linux/mm/kasan/report.c:488
 kasan_report+0xda/0x110 linux/mm/kasan/report.c:601
 kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183
 skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026
 skb_release_all linux/net/core/skbuff.c:1094
 __kfree_skb linux/net/core/skbuff.c:1108
 kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144
 kfree_skb linux/./include/linux/skbuff.h:1244
 tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186
 tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324
 tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824
 tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159
 tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390
 udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108
 udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186
 udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346
 __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422
 ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233
 NF_HOOK linux/./include/linux/netfilter.h:314
 NF_HOOK linux/./include/linux/netfilter.h:308
 ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254
 dst_input linux/./include/net/dst.h:461
 ip_rcv_finish linux/net/ipv4/ip_input.c:449
 NF_HOOK linux/./include/linux/netfilter.h:314
 NF_HOOK linux/./include/linux/netfilter.h:308
 ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534
 __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648
 process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976
 __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576
 napi_poll linux/net/core/dev.c:6645
 net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781
 __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553
 do_softirq linux/kernel/softirq.c:454
 do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381
 local_bh_enable linux/./include/linux/bottom_half.h:33
 rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851
 __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378
 dev_queue_xmit linux/./include/linux/netdevice.h:3169
 neigh_hh_output linux/./include/net/neighbour.h:526
 neigh_output linux/./include/net/neighbour.h:540
 ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235
 __ip_finish_output linux/net/ipv4/ip_output.c:313
 __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295
 ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323
 NF_HOOK_COND linux/./include/linux/netfilter.h:303
 ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433
 dst_output linux/./include/net/dst.h:451
 ip_local_out linux/net/ipv4/ip_output.c:129
 ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492
 udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963
 udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250
 inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850
 sock_sendmsg_nosec linux/net/socket.c:730
 __sock_sendmsg linux/net/socket.c:745
 __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191
 __do_sys_sendto linux/net/socket.c:2203
 __se_sys_sendto linux/net/socket.c:2199
 __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199
 do_syscall_x64 linux/arch/x86/entry/common.c:52
 do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120
RIP: 0033:0x7f3434974f29
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29
RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003
RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

In the critical scenario, either the relevant skb is freed or its
ownership is transferred into a frag_lists. In both cases, the cleanup
code must not free it again: we need to clear the skb reference earlier.

Fixes: 1149557 ("tipc: eliminate unnecessary linearization of incoming buffers")
	Cc: [email protected]
	Reported-by: [email protected] # ZDI-CAN-23852
	Acked-by: Xin Long <[email protected]>
	Signed-off-by: Paolo Abeni <[email protected]>
	Reviewed-by: Eric Dumazet <[email protected]>
Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 080cbb8)
	Signed-off-by: Marcin Wcisło <[email protected]>
This was referenced May 27, 2025
Merged
Merged
PlaidCat
PlaidCat approved these changes May 27, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

thefossguy-ciq
thefossguy-ciq approved these changes May 27, 2025
View reviewed changes
Copy link

@thefossguy-ciq thefossguy-ciq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚤

bmastbergen
bmastbergen approved these changes May 27, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen merged commit 8df2e44 into ctrliq:ciqlts8_6 May 29, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@thefossguy-ciq thefossguy-ciq thefossguy-ciq approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pvts-mat @PlaidCat @bmastbergen @thefossguy-ciq