CVE-2024-57982
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.
Security Summary
CVE-2024-57982 is an out-of-bounds read vulnerability in the Linux kernel's xfrm subsystem, specifically during xfrm state lookup operations. The issue arises from a race condition where lookup and resize (rehash) can execute in parallel, causing hash functions to observe a state_hmask value that exceeds the size of the new hlist array in net->xfrm.state_bydst. This affects the xfrm_state_hash_generation seqlock mechanism, which normally ensures retries but fails to guarantee consistency between the pointer updates and hmask in RCU contexts.
A local attacker with low privileges can exploit this vulnerability without user interaction. Successful exploitation triggers an out-of-bounds read, potentially leading to high confidentiality impact through information disclosure or high availability impact via denial of service, such as kernel crashes. The CVSS 3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) reflects these characteristics, with no integrity impact.
Mitigation requires applying upstream kernel patches, as detailed in the referenced commits: a16871c7832ea6435abb6e0b58289ae7dcb7e4fc, b86dc510308d7a8955f3f47a4fea4bef887653e4, dd4c2a174994238d55ab54da2545543d36f4e0d0, and e952837f3ddb0ff726d5b582aa1aad9aa38d024d. These fixes prefetch state_hmask and associated pointers before use, leverage the seqlock for consistency, add lockdep assertions to existing helpers like xfrm_dst_hash() for insert-side safety only, and note that xfrm_state_lookup_byaddr() should transition to RCU in future updates.
Details
- CWE(s)