CVE-2024-42114: Vulnerability in Linux Linux

Severity: highType: vulnerabilityCVE-2024-42114

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM to 2^31. We had a similar issue in sch_fq, fixed with commit d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM") watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24] Modules linked in: irq event stamp: 131135 hardirqs last enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline] hardirqs last enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95 hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline] softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553 softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: mld mld_ifc_work pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del include/linux/list.h:195 [inline] pc : __list_del_entry include/linux/list.h:218 [inline] pc : list_move_tail include/linux/list.h:310 [inline] pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline] pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 lr : __list_del_entry include/linux/list.h:218 [inline] lr : list_move_tail include/linux/list.h:310 [inline] lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline] lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854 sp : ffff800093d36700 x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000 x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0 x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0 x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0 x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8 x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470 Call trace: __list_del include/linux/list.h:195 [inline] __list_del_entry include/linux/list.h:218 [inline] list_move_tail include/linux/list.h:310 [inline] fq_tin_dequeue include/net/fq_impl.h:112 [inline] ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 wake_tx_push_queue net/mac80211/util.c:294 [inline] ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315 drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline] schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline] ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664 ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966 ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062 __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338 ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547 __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [inline] neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563 neigh_output include/net/neighbour.h:542 [inline] ip6_fini ---truncated---

AI Analysis

Technical Summary

CVE-2024-42114 is a vulnerability identified in the Linux kernel's WiFi subsystem, specifically within the cfg80211 component that handles wireless configuration. The issue arises from insufficient validation of the NL80211_ATTR_TXQ_QUANTUM attribute, which controls the quantum value for transmit queues. An attacker can set this attribute to an excessively large value (2^31), triggering a soft lockup in the kernel. This vulnerability is related to a previously addressed issue in the fq (Fair Queueing) packet scheduler, where improper quantum values caused similar problems. The soft lockup manifests as the CPU becoming stuck for extended periods (e.g., 26 seconds), effectively halting normal processing on affected cores. The kernel stack trace indicates the problem occurs during packet transmission handling in the mac80211 wireless stack, specifically in the ieee80211_tx_dequeue function and related queue management routines. The vulnerability can be triggered by syzbot, an automated kernel fuzzer, indicating that it can be exploited without privileged access but requires the ability to interact with the wireless configuration interface. While no known exploits are currently reported in the wild, the flaw could be leveraged to cause denial of service (DoS) conditions by causing kernel soft lockups, impacting system availability. The affected Linux kernel versions include recent development builds (e.g., 6.9.0-rc7) and potentially other versions that have not yet incorporated the fix. The vulnerability was published on July 30, 2024, and no CVSS score has been assigned yet.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with wireless capabilities. The impact is mainly a denial of service through kernel soft lockups, which can disrupt critical services relying on wireless networking, including enterprise WiFi infrastructure, IoT devices, and edge computing nodes. Organizations with Linux-based wireless routers, access points, or embedded devices could experience outages or degraded network performance. In sectors such as telecommunications, manufacturing, healthcare, and public services where Linux-based wireless systems are prevalent, this could lead to operational disruptions. Additionally, the vulnerability could be exploited in multi-tenant environments or cloud infrastructures using Linux-based virtual machines with wireless interfaces, potentially affecting service availability. Although the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting denial of service could be leveraged as part of a broader attack chain or to cause targeted disruption.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2024-42114 as soon as they become available, ensuring that the cfg80211 component properly validates NL80211_ATTR_TXQ_QUANTUM values. 2) Temporarily restrict or disable wireless configuration interfaces for untrusted users or processes to prevent unauthorized manipulation of transmit queue parameters. 3) Monitor kernel logs and system behavior for signs of soft lockups or unusual CPU stalls related to wireless packet transmission. 4) Employ kernel hardening and runtime protection tools that can detect and recover from soft lockups or anomalous kernel states. 5) For critical infrastructure, consider network segmentation and limiting exposure of wireless management interfaces to reduce attack surface. 6) Engage with Linux distribution vendors and maintainers to track patch availability and backport fixes to stable kernel versions used in production environments. 7) Conduct thorough testing of wireless subsystem updates in staging environments before deployment to avoid regressions.